Splunk Enterprise

Percentage traffic distribution display in two different datacenter

pranay04
Explorer

I have two datacenter for which I am calculating external traffic per minute but want to display the percentage of traffic in each datacenter. Is there a query which will make the traffic as percentage in both DC individually in a radial gauge?

Primary DataCenter:

index=apache host=primary source= /logs/$WebAppTok$* | replace /logs/* with * in source | replace */access.log with * in source | dedup clientip
|timechart span=1m count as clientip
|STATS AVG(clientip)

Secondary DataCenter:

index=apache host=secondary source= /logs/$WebAppTok$* | replace /logs/* with * in source | replace */access.log with * in source | dedup clientip
|timechart span=1m count as clientip
|STATS AVG(clientip)

Tags (1)
0 Karma

chrisyounger
SplunkTrust
SplunkTrust

This might do what you need:

index=apache (host=primarysecondary OR host=secondary) source= /logs/$WebAppTok$ | replace /logs/ with in source | replace /access.log with * in source | dedup clientip
|stats avg(clientip) by host

All the best.

0 Karma

pranay04
Explorer

I get no results found when I do "by host". And to explain a bit more, there are two data center and each has several node. So when I say host=primary there are several nodes in primary and if the "by host" command work it will give me the traffic on each of those node rather than the whole DC that I am looking for.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

This is one way you could do it:

index=apache (host=primary OR host=secondary) source= /logs/$WebAppTok$ | eval dc = if(host=="server1" or host=="server2" or host=="server3", "DC1", "DC2")| replace /logs/ with in source | replace /access.log with * in source | dedup clientip
|stats avg(clientip) by dc

You could do a nicer job if you had the server to datacenter mapping in a lookup table

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Also I dont think you should have the dedup clientip part

0 Karma

pranay04
Explorer

That still does not give me the %age
I was looking for it to display in the radial gauge the % of users in Primary and % of users in secondary

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

try this: index=apache (host=primary OR host=secondary) source= /logs/$WebAppTok$ | eval dc = if(host=="server1" or host=="server2" or host=="server3", "DC1", "DC2")| replace /logs/ with in source | replace /access.log with * in source | dedup clientip |stats avg(clientip) by dc | eval perc = DC1 / (DC1+DC2)| fields perc

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.