Calculating bandwidth usage of Windows machines us...

nk-1 · ‎10-05-2017

In C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf:

[perfmon://Network Interface]
counters = Bytes Received/sec;Bytes Sent/sec
instances = *
interval = 10
object = Network Interface
index = wmi

SplunkWeb Query:
earliest=-1d host=MyHost sourcetype="Perfmon:Network Interface" | eval MB_Usage=10*Value/1024/1024| timechart span=1h sum(MB_Usage)

(multiplying by 10 because interval=10 and WMI metric is Bytes/sec?)

Would that give me MB Usage by hour for the given host?

DalJeanis · ‎10-06-2017

Seems reasonable. I'd verify by doing something like this, and checking for reasonableness and number of events ...

earliest=-1d@d+600m latest=-1d@d+610m 
host=MyHost sourcetype="Perfmon:Network Interface" 
| eval MB_Usage=10*Value/1024/1024

You could also do this...

earliest=-1d host=MyHost sourcetype="Perfmon:Network Interface" 
| eval MB_Usage=3600*Value/1024/1024 
| timechart span=1h avg(MB_Usage)

If the value number is per second, then 3600 times that value number is the data per hour at that moment, and the average of those will approximate the total amount that particular hour.

Calculating bandwidth usage of Windows machines using WMI and Splunk

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Calculating bandwidth usage of Windows machines using WMI and Splunk

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits