Getting Data In

Network throughput monitor

demonspork
New Member

I am trying to use *NIX to monitor my network throughput statistics and graph them nicely, I am currently using Bandwidthd but I would like to get it all usable in one interface. Everything else worked perfectly, CPU, Memory, faiiled login detection, everything graphs nicely. But when I try to monitor the network by throughput, I get this at the top of the page: Specified field(s) missing from results: 'TX_Thruput'

running locally on Ubuntu 10.04 splunk 4.1.5 build 85165. I have all of the options checked for the *NIX configuration. I checked out the searches suggested in http://answers.splunk.com/questions/4287/measure-throughput-eps-kbps-per-input but they return no results.

Tags (2)
0 Karma

asleeis
Path Finder

I'm not sure of actual cause.... but what I noticed in the data was that the output from "interface.sh" was including the virtual interfaces (i.e. not eth0:0, eth0:1, etc.). Those do not end up reporting all the data like the actual interface (eth0) does. I'm thinking that multikv has issues when there's no value between field separators of the "table" (i.e. two tabs with nothing in between).

Since I didn't care about the virtuals (as the data for those are included in the main interface), I modified interface.sh to exclude virtual interfaces. My method was cludgy, but seems to work. I piped the output of the command that gathered the interface list to "grep -v ':'" for the Linux section.

Bingo! Data starts getting parsed, fields defined, and graphs looking all pretty!

0 Karma

asleeis
Path Finder

Anyone have an update on this? I'm seeing this as well. When simply querying all events the "interfaces" sourcetype (for index, "os") under the unix app, it doesn't seem to be defining fields for these. I would think that the Unix app should have defined these, no? The headers are more funky than your basic "X=Y" output... it's a column based output (headers). But still... it's been like this for this command on Linux for a long time.

Anyone? Is this just a bug in the Unix app that needs fixing?

0 Karma

Simeon
Splunk Employee
Splunk Employee

Without seeing the output of each event in the search window, this will be hard to answer. I strongly suspect your field for TX_Thruput is not extracted by default. Typically, Splunk finds the fields you want to use automatically, but there are some cases where you must configure Splunk to properly extract fields. You will need to create a field extraction for the TX_Thruput field. You can do this via the interactive field extraction tool or via a rex command.

0 Karma

demonspork
New Member

args = host
definition = index="os" sourcetype="interfaces" host=* | multikv fields name, inetAddr, RXbytes, TXbytes | streamstats current=f last(TXbytes) as lastTX, last(RXbytes) as lastRX by Name | eval time=_time | strcat Name "-" inetAddr "@" host Interface_Host | eval RX_Thruput = lastRX-RXbytes | eval TX_Thruput = lastTX-TXbytes | timechart eval(sum(TX_Thruput)/dc(time)) by Interface_Host

is the line in the unix app files that seems that it is supposed to do this task. I run that search manually and it gives the error about missing fields.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...