Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to check traffic volume per heavy forwarder?

hkumar26
New Member
‎08-02-2017 05:49 AM

I plan to calculate the traffic volume in GB across all our HFs. Need this to ensure check which HF is getting max traffic as this is affecting. I was able to get memory, cpu and bandwidth utilization from index= _interospection and index=_internal

Labels (1)
Labels
0 Karma
Reply

thambisetty
Super Champion
‎07-05-2022 04:20 AM 
index=_internal host IN ("yourheavyforwarders") group=per_index_thruput | stats sum(kb) as kb by host
| eval GB=round(kb/1024/1024,2) | fields - kb


Note: if you want to exclude internal indexes which are starting with _(underscore), you can use below search

index=_internal host IN ("yourheavyforwarders") group=per_index_thruput series!=_* | stats sum(kb) as kb by host
| eval GB=round(kb/1024/1024,2) | fields - kb

 

————————————
If this helps, give a like below.
0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎10-09-2017 12:48 PM

If you are looking for total volume sent (including _internal) and not just license usage here is a good search:

index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=* 
| eval dest_uri = host.":".destPort 
| stats values(fwdType) as forwarder_type, latest(version) as version, values(arch) as arch, dc(dest_uri) as dest_count, values(os) as os, max(_time) as last_connected, sum(kb) as new_sum_kb, sparkline(avg(tcp_KBps), 1m) as avg_tcp_kbps_sparkline, avg(tcp_KBps) as avg_tcp_kbps, avg(tcp_eps) as avg_tcp_eps by guid, hostname 
| eval hostname = upper(hostname)

This provides quite a bit of extra info. You can convert kb to GB as needed.

0 Karma
Reply

gcusello
Esteemed Legend
‎08-04-2017 04:03 AM

Hi hkumar26,
see Splunk Distributed Monitoring Console App and you can find your searches.
Bye.
Giuseppe

0 Karma
Reply

adonio
Ultra Champion
‎08-04-2017 02:50 AM

do you mean license usage? e.g. raw data received by indexers through Heavy Forwarders?

0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...