Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to check traffic volume per heavy forwarder?

hkumar26
New Member
‎08-02-2017 05:49 AM

I plan to calculate the traffic volume in GB across all our HFs. Need this to ensure check which HF is getting max traffic as this is affecting. I was able to get memory, cpu and bandwidth utilization from index= _interospection and index=_internal

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎07-05-2022 04:20 AM 
index=_internal host IN ("yourheavyforwarders") group=per_index_thruput | stats sum(kb) as kb by host
| eval GB=round(kb/1024/1024,2) | fields - kb


Note: if you want to exclude internal indexes which are starting with _(underscore), you can use below search

index=_internal host IN ("yourheavyforwarders") group=per_index_thruput series!=_* | stats sum(kb) as kb by host
| eval GB=round(kb/1024/1024,2) | fields - kb

 

————————————
If this helps, give a like below.
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎10-09-2017 12:48 PM

If you are looking for total volume sent (including _internal) and not just license usage here is a good search:

index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=* 
| eval dest_uri = host.":".destPort 
| stats values(fwdType) as forwarder_type, latest(version) as version, values(arch) as arch, dc(dest_uri) as dest_count, values(os) as os, max(_time) as last_connected, sum(kb) as new_sum_kb, sparkline(avg(tcp_KBps), 1m) as avg_tcp_kbps_sparkline, avg(tcp_KBps) as avg_tcp_kbps, avg(tcp_eps) as avg_tcp_eps by guid, hostname 
| eval hostname = upper(hostname)

This provides quite a bit of extra info. You can convert kb to GB as needed.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-04-2017 04:03 AM

Hi hkumar26,
see Splunk Distributed Monitoring Console App and you can find your searches.
Bye.
Giuseppe

0 Karma
Reply

adonio
Ultra Champion
‎08-04-2017 02:50 AM

do you mean license usage? e.g. raw data received by indexers through Heavy Forwarders?

0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...