Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Network Traffic with Stream

fludorf_splunk
Splunk Employee
Splunk Employee
‎12-06-2017 01:11 AM

Hi!

I would like to monitor to total amount of traffic leaving and entering my home network. I have the following setup:
Internal network: 192.168.1.*
Firewall (internal NIC): 192.168.1.1
Firewall (external NIC): 192.168.178.23
DSL Modem: 192.168.178.1

I have Stream installed on the firewall 192.168.1.1.

I would like to see the following:
Total MB uploaded for a defined time
Total MB downloaded for a defined time

The queries I am using are:
Upload: sourcetype="stream:ip" dest_ip!="192.168.1.*" | stats sum(bytes_in) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

Download: sourcetype="stream:ip" dest_ip!="192.168.1.*" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

When I cross compare the Up and Download statistics on my DSL router for a specific time to what I get with my queries, I get very different numbers.

Any ideas?

Thanks!

Tags (1)
0 Karma
Reply

nickhills
Ultra Champion
‎12-07-2017 11:19 AM

Ah, ok I see the error in my suggested query, however....
If your firewall has a dedicated nic connected to the router, you could just tell stream to monitor all traffic on that nic. Then you won’t need to filter anything.
http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/ConfigureStreamForwarder#Use_XM...

If my comment helps, please give it a thumbs up!
0 Karma
Reply

nickhills
Ultra Champion
‎12-06-2017 06:55 AM

Well without digging into your exact setup, i think you might be better in looking at traffic to/from specific IPs (rather than ignoring traffic to a range)

Try changing your queries to:

sourcetype="stream:ip" dest_ip="192.168.178.1" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

sourcetype="stream:ip" src_ip="192.168.178.1" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

Edit: Also - how wild, is 'wild'? and in which direction is it different?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

fludorf_splunk
Splunk Employee
Splunk Employee
‎12-07-2017 06:10 AM

Hi, thanks for getting back to me.

I tried your suggestion but this only provides traffic to/from that specific IP rather than via it.

Examples of differences:

Original queries:
In: 462 MB
Out: 8770 MB

Suggested queries
In: 0 MB
Out: 27 MB

DSL Router Information:
In: 435
Out: 4936

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...