Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Network Traffic with Stream

fludorf_splunk
Splunk Employee
Splunk Employee
‎12-06-2017 01:11 AM

Hi!

I would like to monitor to total amount of traffic leaving and entering my home network. I have the following setup:
Internal network: 192.168.1.*
Firewall (internal NIC): 192.168.1.1
Firewall (external NIC): 192.168.178.23
DSL Modem: 192.168.178.1

I have Stream installed on the firewall 192.168.1.1.

I would like to see the following:
Total MB uploaded for a defined time
Total MB downloaded for a defined time

The queries I am using are:
Upload: sourcetype="stream:ip" dest_ip!="192.168.1.*" | stats sum(bytes_in) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

Download: sourcetype="stream:ip" dest_ip!="192.168.1.*" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

When I cross compare the Up and Download statistics on my DSL router for a specific time to what I get with my queries, I get very different numbers.

Any ideas?

Thanks!

Tags (1)
0 Karma
Reply

nickhills
Ultra Champion
‎12-07-2017 11:19 AM

Ah, ok I see the error in my suggested query, however....
If your firewall has a dedicated nic connected to the router, you could just tell stream to monitor all traffic on that nic. Then you won’t need to filter anything.
http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/ConfigureStreamForwarder#Use_XM...

If my comment helps, please give it a thumbs up!
0 Karma
Reply

nickhills
Ultra Champion
‎12-06-2017 06:55 AM

Well without digging into your exact setup, i think you might be better in looking at traffic to/from specific IPs (rather than ignoring traffic to a range)

Try changing your queries to:

sourcetype="stream:ip" dest_ip="192.168.178.1" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

sourcetype="stream:ip" src_ip="192.168.178.1" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

Edit: Also - how wild, is 'wild'? and in which direction is it different?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

fludorf_splunk
Splunk Employee
Splunk Employee
‎12-07-2017 06:10 AM

Hi, thanks for getting back to me.

I tried your suggestion but this only provides traffic to/from that specific IP rather than via it.

Examples of differences:

Original queries:
In: 462 MB
Out: 8770 MB

Suggested queries
In: 0 MB
Out: 27 MB

DSL Router Information:
In: 435
Out: 4936

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...