Splunk Enterprise

Metrics.log - some information!

verbal_666
Builder

Hi.
I use a lot the metrics.log Indexer side, to debug some bottleneck and/or stress inside the Infrastructure.

There is a field, i can't really understand at all,

 

INFO  Metrics - group=tcpin_connections
x.x.x.x:50496:9997
connectionType=cookedSSL
sourcePort=50496
sourceHost=x.x.x.x
sourceIp=x.x.x.x
destPort=9997
kb=15.458984375
_tcp_avg_thruput=7.262044477222557
_tcp_Kprocessed=589.84765625
[...]

 

It's the "tcp_Kprocessed" field,
especially related to the field "kb", which is the most important, in my opinion.

What is in practice "tcp_Kprocessed", considering that its values are often very inconsistent and not proportionate to the kb?

Thanks.

Labels (2)
0 Karma
1 Solution

verbal_666
Builder

Yep!

Le't stay as said... if someone else wants to add something, you're welcome,

tcp_Kprocessed == Kb received by the receiver as a packet of events
kb == the real Kb (compressed) written on Indexer storage

Explicit and simple,

tcp_Kprocessed == the Networking thruput of events packet
kb == the Compressed Data written to Indexer Storage of previous packet

👍

View solution in original post

0 Karma

splunkreal
Motivator

yes, sounds logic 😉

You can add idea to document these fields at https://ideas.splunk.com/ideas/new

* If this helps, please upvote or accept solution if it solved *

verbal_666
Builder

Yep!

Le't stay as said... if someone else wants to add something, you're welcome,

tcp_Kprocessed == Kb received by the receiver as a packet of events
kb == the real Kb (compressed) written on Indexer storage

Explicit and simple,

tcp_Kprocessed == the Networking thruput of events packet
kb == the Compressed Data written to Indexer Storage of previous packet

👍

0 Karma

splunkreal
Motivator

Hello @verbal_666  I think this is the volume indexed.

 

* If this helps, please upvote or accept solution if it solved *
0 Karma

verbal_666
Builder

I'm counting the "kb" as volume of data received and ingected into Indexers.
Is this wrong, so?

So, what's the relation beetwen "kb" and "tcp_Kprocessed" ?

I'm still in doubt 🤔🤔🤔

0 Karma

splunkreal
Motivator

Seems tcp_kprocessed is total transferred data and kb the volume indexed for that particular event.

You may submit support ticket for further information as this doesn't look documented.

* If this helps, please upvote or accept solution if it solved *
0 Karma

verbal_666
Builder

Maybe could be

tcp_Kprocessed == Kb received by the receiver as a packet of events
kb == the real Kb (compressed) written on Indexer storage

So, for my purposes, i keep on using the sum of "kb" as volume of data from UF to Indexers.

Yes, it's not documented at all 🙄🙄🙄🤷‍♂️

Thanks!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...