Getting Data In

how to calculate the percentage bandwidth utilization for both incoming and outgoing traffics from a switch/router?

bidahor13
Path Finder

Trying to calculate the percentage bandwidth utilization on each link -How can I achieve that?

index=snmp dst_device="mdf1" src_device="mdf2" |delta _time as period | eval transferedBitsIn=snmpIfInOctets*8/period | eval transferedBitsOut=snmpIfOutOctets*8/period | timechart span=5s sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source

Tags (2)

Richfez
SplunkTrust
SplunkTrust

Given your search, since that's all I can see, I can make a few remarks on how to accomplish this.

One method is to do some math directly in the timechart command. In this case, something like this might work:

...| timechart span=5s sum(transferedBitsIn) as Input, sum(transferedBitsOut) as output, eval(sum(transferedBitsIn)/100000000) as Percentage_in by source

Or, create a new field with the value, then use that.

...| eval Max_Bandwidth=100000000 | timechart span=5s sum(transferedBitsIn) as Input, sum(transferedBitsOut) as output, eval(sum(transferedBitsIn)/sum(Max_Bandwidth)) as Percentage_in by source

In either case, you'll have to provide your own values, and probably do a little cleanup on making it show up right. My GUESS is that you'll actually need eval(sum(transferedBitsIn)/avg(Max_Bandwidth)) instead of sum(Max_Bandwidth), but with the problems seeing your raw data (or even a sample), I'm not sure.

One final caveat, I probably did my division backwards. 🙂

bidahor13
Path Finder

lol..thanks rich7177, I will try it out.

0 Karma

Richfez
SplunkTrust
SplunkTrust

You might also have access to something like the snmp OID for ifSpeed (I believe 1.3.6.1.2.1.2.2.1.5, but could be slightly elsewhere). If you have that, and it reflects the connection speed, you could use that instead of creating your own "Max_Bandwidth". It's worth a look.

0 Karma

woodcock
Esteemed Legend

Your link "works" but shows a useless image.

How much is this related to this other question?

http://answers.splunk.com/answers/289809/how-to-calculate-bandwidth-utilization-on-an-snmp.html

bidahor13
Path Finder

not related!

0 Karma

bidahor13
Path Finder
0 Karma

sajbutler
Path Finder

Hi bidahor13

A couple of observations:
1. It looks like the transferedBitsIn and transferedBitsOut fields are calculating a per second value. If this the case, then using average would be more appropriate than sum in your timechart
2. If you want to calculate a percentage utilisation, then you need to divide bandwidth used by bandwidth total

It would be a good to get a sample of data so we can give more specific pointers

sajbutler
Path Finder

Getting a HTTP Status 403 error when clicking on the link

0 Karma

bidahor13
Path Finder

See the snap shot below:

0 Karma

sajbutler
Path Finder

Sorry, I can't see the link below. Its a broken link for me

0 Karma

bidahor13
Path Finder

hi sajbutler - I just sent you the link .Let me know if it helps thanks.

0 Karma

bidahor13
Path Finder
0 Karma

jtrucks
Splunk Employee
Splunk Employee

Can you show examples of the source event data?

--
Jesse Trucks
Minister of Magic
0 Karma

bidahor13
Path Finder

index=snmp | eval link=if(src_device previousIn , currentIn, previousIn) | eval current1_Out = if( currentOut > previousOut , currentOut, previousOut) | eval current2_In = (maxValue + current1_In)/period | eval current2_Out = (maxValue + current1_Out)/period | eval transferredBitsIn_kByte=round((current2_In)/1000 ,1) | eval transferredBitsOut_kByte=round((current2_Out)/1000,1) | timechart span=48s avg(transferredBitsOut_kByte) AS Tx_OUT avg(transferredBitsIn_kByte) AS Tx_IN by link | eval Tx_OUT = round(Tx_OUT,1) | eval Tx_IN = round(Tx_IN , 1)

0 Karma

bidahor13
Path Finder

Made some changes on my last SPL - does the data search look accurate to generate the bandwidth data and bits transferred by each link? If sit does- how do i calculate the percentage utilization for each link?

0 Karma

bidahor13
Path Finder
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...