Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Network Traffic with Stream

fludorf_splunk
Splunk Employee
Splunk Employee
‎12-06-2017 01:11 AM

Hi!

I would like to monitor to total amount of traffic leaving and entering my home network. I have the following setup:
Internal network: 192.168.1.*
Firewall (internal NIC): 192.168.1.1
Firewall (external NIC): 192.168.178.23
DSL Modem: 192.168.178.1

I have Stream installed on the firewall 192.168.1.1.

I would like to see the following:
Total MB uploaded for a defined time
Total MB downloaded for a defined time

The queries I am using are:
Upload: sourcetype="stream:ip" dest_ip!="192.168.1.*" | stats sum(bytes_in) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

Download: sourcetype="stream:ip" dest_ip!="192.168.1.*" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

When I cross compare the Up and Download statistics on my DSL router for a specific time to what I get with my queries, I get very different numbers.

Any ideas?

Thanks!

Tags (1)
0 Karma
Reply

nickhills
Ultra Champion
‎12-07-2017 11:19 AM

Ah, ok I see the error in my suggested query, however....
If your firewall has a dedicated nic connected to the router, you could just tell stream to monitor all traffic on that nic. Then you won’t need to filter anything.
http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/ConfigureStreamForwarder#Use_XM...

If my comment helps, please give it a thumbs up!
0 Karma
Reply

nickhills
Ultra Champion
‎12-06-2017 06:55 AM

Well without digging into your exact setup, i think you might be better in looking at traffic to/from specific IPs (rather than ignoring traffic to a range)

Try changing your queries to:

sourcetype="stream:ip" dest_ip="192.168.178.1" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

sourcetype="stream:ip" src_ip="192.168.178.1" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

Edit: Also - how wild, is 'wild'? and in which direction is it different?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

fludorf_splunk
Splunk Employee
Splunk Employee
‎12-07-2017 06:10 AM

Hi, thanks for getting back to me.

I tried your suggestion but this only provides traffic to/from that specific IP rather than via it.

Examples of differences:

Original queries:
In: 462 MB
Out: 8770 MB

Suggested queries
In: 0 MB
Out: 27 MB

DSL Router Information:
In: 435
Out: 4936

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...