does any of you know how to get the netstat metric m/(Snd|Rcv)bufErrors/ ?? I have been told that this metric shows up when you do a netstat -s but I'm afraid all I am getting is this:
2145500 packets received
266995 packets to unknown port received.
0 packet receive errors
2421484 packets sent
I don't see specifically what this has to do with Splunk, but my netstat -su produces similar output to yours. The answer is quite simple:
$ sudo cat /proc/net/snmp | grep -i udp Udp: InDatagrams NoPorts InErrors OutDatagrams Udp: 13451987 2317 0 14525121
Conclusion - the kernel is not recording the error counts. If it was, the first line of output would be:
Udp: InDatagrams NoPorts InErrors OutDatagrams RcvbufErrors SndbufErrors
Hmmm - actually, let me amend that. I have one kernel here which is counting them, but netstat is not reporting them. Perhaps this is because they currently stand at zero. Or perhaps it is simply we neither of us have a recent enough version of netstat:
$ netstat -V net-tools 1.60 netstat 1.42 (2001-04-15) Fred Baumgarten, Alan Cox, Bernd Eckenfels, Phil Blundell, Tuan Hoang and others +NEW_ADDRT +RTF_IRTT +RTF_REJECT +FW_MASQUERADE +I18N AF: (inet) +UNIX +INET +INET6 +IPX +AX25 +NETROM +X25 +ATALK +ECONET +ROSE HW: +ETHER +ARC +SLIP +PPP +TUNNEL +TR +AX25 +NETROM +X25 +FR +ROSE +ASH +SIT +FDDI +HIPPI +HDLC/LAPB +EUI64
I can't seem to find a definitive answer as to whether the support needs to be compiled into netstat, whether the version is simply not current enough, or whether it simply does not report zero values. What version to you have for an example that works? I presume you have seen a working example or you would not be asking the question.
Right, well I've just had a look at the latest CentOS 5 netstat source, and at first glance it seems incapable of rendering buffer the errors, not that it is simply not compiled in. (More accurately it seems the snmp parser library is probably incapable of recognsing them.) It looks like you will have to awk /proc/net/snmp.
(Yes, I know there are later versions of CentOS, and possibly more recent versions of the source, but that is the current version I have, and it is relevant to the discussion here seeing as we already agree it is the version we both have.)
In that case your first stop is to find out if their kernel(s) is(are) even counting UDP buffer errors, and if they are does the client even HAVE a version of netstat that returns the data? If not you could parse it out of /proc/net/snmp (assuming the fields are there, of course), but that's dirty.
But if course, bottom line is you can't report what's not there.
Hi, thnks for your answer. I have the same version that you have. My client has requested this and I am trying to get my head around it, I have not seen it anywhere and I am diving the web trying to get the info in order to Splunk it