Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calculating bandwidth usage of Windows machines using WMI and Splunk

nk-1
Path Finder
‎10-05-2017 12:42 PM

In C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf:

[perfmon://Network Interface]
counters = Bytes Received/sec;Bytes Sent/sec
instances = *
interval = 10
object = Network Interface
index = wmi

SplunkWeb Query:

earliest=-1d host=MyHost sourcetype="Perfmon:Network Interface" | eval MB_Usage=10*Value/1024/1024| timechart span=1h sum(MB_Usage)

(multiplying by 10 because interval=10 and WMI metric is Bytes/sec?)

Would that give me MB Usage by hour for the given host?

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎10-06-2017 09:38 AM

Seems reasonable. I'd verify by doing something like this, and checking for reasonableness and number of events ...

earliest=-1d@d+600m latest=-1d@d+610m 
host=MyHost sourcetype="Perfmon:Network Interface" 
| eval MB_Usage=10*Value/1024/1024

You could also do this...

earliest=-1d host=MyHost sourcetype="Perfmon:Network Interface" 
| eval MB_Usage=3600*Value/1024/1024 
| timechart span=1h avg(MB_Usage)

If the value number is per second, then 3600 times that value number is the data per hour at that moment, and the average of those will approximate the total amount that particular hour.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...