Monitoring Splunk

need a little help converting tcp_KBps to tcp_GB/day

packet_hunter
Contributor

I am searching the _internal index to find out how much data a universal forward is sending per day.

Here is my code (taken from settings>Monitor Console> Forwarders: Instance "Outgoing Data Rate" dashboard)

`dmc_get_forwarder_tcpin` hostname=SomeNAME
| `dmc_timechart_for_metrics_log` sum(eval(tcp_KBps)) as "KB/s", max(tcp_eps) as "Events/s"

Does anyone know the correct syntax to convert this to GB/day?

This is my attempt below, is this correct and accurate? I don't think so... looks like I need to sum all the data.

`dmc_get_forwarder_tcpin` hostname=SomeName
| `dmc_timechart_for_metrics_log` max(eval(tcp_KBps/1024/1024/60/60/24)) as "GB/day", max(tcp_eps) as "Events/s" 

Thanks

Tags (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

`dmc_get_forwarder_tcpin` hostname=SomeNAME
| timechart span=1d sum(eval(tcp_KBps)) as "GB/day", max(tcp_eps) as "Events/s"
| eval "GB/day" = 'GB/day'/1024/1024

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

I'd be surprised if either of those was right.

In the first one, you are summing a tcp_KBps field across some time range (bin size unknown), so it's no longer in KB/s, its in KB/bin time. You probably want avg rather than sum, but if it's sum you want, then change legend to KB.

In the second one, your conversion looks okay, but it's not clear what information you want as "GB/day". Are you trying to find out how many GB you are actually forwarding per day, or how many you would forward if it maintained that rate round the clock?

As a general case, I would put multiplication to the left of the dividing slash, and division to the right. I would also get used to the numbers 86400 (24*60*60) and 2440 (24*60) , which you will be using a lot.

`dmc_get_forwarder_tcpin` hostname=SomeName
 | `dmc_timechart_for_metrics_log` max(eval(tcp_KBps)) as Max_KBps, max(tcp_eps) as "Max Events/s"
 | eval "Max GBpd (est)" = Max_KBps*86400/(1024*1024)
0 Karma

packet_hunter
Contributor

Yes I see Somesoni's reply. Thank you for your comments, and my code was completely off, but you have highlighted some concepts I need to keep in mind. Thank you.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

See somesoni2's version also, which bins by day and calculates ACTUAL GB per day.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

`dmc_get_forwarder_tcpin` hostname=SomeNAME
| timechart span=1d sum(eval(tcp_KBps)) as "GB/day", max(tcp_eps) as "Events/s"
| eval "GB/day" = 'GB/day'/1024/1024
0 Karma

packet_hunter
Contributor

Thank you, I believe you got it.

0 Karma

packet_hunter
Contributor

Actually, looks like something is still not quite right with the conversion. But | timechart span=1d is getting me closer.

Thank you

0 Karma

packet_hunter
Contributor

Its gotta be correct per your logic, its just hard to verify because I have so many fwdrs.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...