Reporting

nestat metric: m/(Snd|Rcv)bufErrors/

asimagu
Builder

Hi guys

does any of you know how to get the netstat metric m/(Snd|Rcv)bufErrors/ ?? I have been told that this metric shows up when you do a netstat -s but I'm afraid all I am getting is this:

Udp:
2145500 packets received
266995 packets to unknown port received.
0 packet receive errors
2421484 packets sent

any ideas?

Tags (2)
0 Karma

grijhwani
Motivator

I don't see specifically what this has to do with Splunk, but my netstat -su produces similar output to yours. The answer is quite simple:

$ sudo cat /proc/net/snmp | grep -i udp
Udp: InDatagrams NoPorts InErrors OutDatagrams
Udp: 13451987 2317 0 14525121

Conclusion - the kernel is not recording the error counts. If it was, the first line of output would be:

Udp: InDatagrams NoPorts InErrors OutDatagrams RcvbufErrors SndbufErrors

Hmmm - actually, let me amend that. I have one kernel here which is counting them, but netstat is not reporting them. Perhaps this is because they currently stand at zero. Or perhaps it is simply we neither of us have a recent enough version of netstat:

$ netstat -V
net-tools 1.60
netstat 1.42 (2001-04-15)
Fred Baumgarten, Alan Cox, Bernd Eckenfels, Phil Blundell, Tuan Hoang and others
+NEW_ADDRT +RTF_IRTT +RTF_REJECT +FW_MASQUERADE +I18N
AF: (inet) +UNIX +INET +INET6 +IPX +AX25 +NETROM +X25 +ATALK +ECONET +ROSE
HW:  +ETHER +ARC +SLIP +PPP +TUNNEL +TR +AX25 +NETROM +X25 +FR +ROSE +ASH +SIT +FDDI +HIPPI +HDLC/LAPB +EUI64

I can't seem to find a definitive answer as to whether the support needs to be compiled into netstat, whether the version is simply not current enough, or whether it simply does not report zero values. What version to you have for an example that works? I presume you have seen a working example or you would not be asking the question.

asimagu
Builder

thanks for your effort, I will have a look at those options and it may be what you were saying, we cannot report on what is not there. thanks pal 😉

0 Karma

grijhwani
Motivator

Right, well I've just had a look at the latest CentOS 5 netstat source, and at first glance it seems incapable of rendering buffer the errors, not that it is simply not compiled in. (More accurately it seems the snmp parser library is probably incapable of recognsing them.) It looks like you will have to awk /proc/net/snmp.

(Yes, I know there are later versions of CentOS, and possibly more recent versions of the source, but that is the current version I have, and it is relevant to the discussion here seeing as we already agree it is the version we both have.)

0 Karma

grijhwani
Motivator

In that case your first stop is to find out if their kernel(s) is(are) even counting UDP buffer errors, and if they are does the client even HAVE a version of netstat that returns the data? If not you could parse it out of /proc/net/snmp (assuming the fields are there, of course), but that's dirty.

But if course, bottom line is you can't report what's not there.

0 Karma

asimagu
Builder

Hi, thnks for your answer. I have the same version that you have. My client has requested this and I am trying to get my head around it, I have not seen it anywhere and I am diving the web trying to get the info in order to Splunk it

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...