Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Network Traffic with Stream

fludorf_splunk
Splunk Employee
Splunk Employee
‎12-06-2017 01:11 AM

Hi!

I would like to monitor to total amount of traffic leaving and entering my home network. I have the following setup:
Internal network: 192.168.1.*
Firewall (internal NIC): 192.168.1.1
Firewall (external NIC): 192.168.178.23
DSL Modem: 192.168.178.1

I have Stream installed on the firewall 192.168.1.1.

I would like to see the following:
Total MB uploaded for a defined time
Total MB downloaded for a defined time

The queries I am using are:
Upload: sourcetype="stream:ip" dest_ip!="192.168.1.*" | stats sum(bytes_in) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

Download: sourcetype="stream:ip" dest_ip!="192.168.1.*" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

When I cross compare the Up and Download statistics on my DSL router for a specific time to what I get with my queries, I get very different numbers.

Any ideas?

Thanks!

Tags (1)
0 Karma
Reply

nickhills
Ultra Champion
‎12-07-2017 11:19 AM

Ah, ok I see the error in my suggested query, however....
If your firewall has a dedicated nic connected to the router, you could just tell stream to monitor all traffic on that nic. Then you won’t need to filter anything.
http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/ConfigureStreamForwarder#Use_XM...

If my comment helps, please give it a thumbs up!
0 Karma
Reply

nickhills
Ultra Champion
‎12-06-2017 06:55 AM

Well without digging into your exact setup, i think you might be better in looking at traffic to/from specific IPs (rather than ignoring traffic to a range)

Try changing your queries to:

sourcetype="stream:ip" dest_ip="192.168.178.1" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

sourcetype="stream:ip" src_ip="192.168.178.1" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

Edit: Also - how wild, is 'wild'? and in which direction is it different?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

fludorf_splunk
Splunk Employee
Splunk Employee
‎12-07-2017 06:10 AM

Hi, thanks for getting back to me.

I tried your suggestion but this only provides traffic to/from that specific IP rather than via it.

Examples of differences:

Original queries:
In: 462 MB
Out: 8770 MB

Suggested queries
In: 0 MB
Out: 27 MB

DSL Router Information:
In: 435
Out: 4936

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...