Splunk Search

Bandwidth usage from Firewall

jparrenas26
Engager

I'm looking to create a bandwidth chart showing the bandwidth traffic our firewall over a time period and converting the data from bytes to GB.  Currently this is the search I'm running:

index=firewall host="HQ-5020-1.firstagain.local"
| stats sum(bytes_in) as Received,sum(bytes_out) as Sent by dest_interface
| rename dest_interface as Interface
| eval Bandwidth=round(bytes_in/1024/1024/1024,2)
| eval Bandwidth=Received + Sent

However the conversion is not working and I cannot figure out how to get the time period to work.  It shows the interface but when I try a visualization, I only see the 1 data point where I would like to see either an "over time" type of graph.  

Labels (3)
Tags (1)
0 Karma
1 Solution

to4kawa
Ultra Champion

 

 

index=firewall host="HQ-5020-1.firstagain.local"
| bin _time span=1min
| stats sum(bytes_in) as Received,sum(bytes_out) as Sent by _time dest_interface
| rename dest_interface as Interface
| eval Received=Received / 1024 / 1024, Sent = Sent / 1024 / 1024
| eval Bandwidth=round(Received + Sent,2)

 

 

Viz >> Line Chart with  trellis by Interface 

 

sample:

| tstats count where index=_internal by _time span=1h sourcetype
| fields - count
| eval bytes_out=random() / 1024 , bytes_in=random() / 1024
| stats sum(bytes_out) as Sent sum(bytes_in) as Received by _time sourcetype
| rename sourcetype as Interface
| eval Bandwidth = round( Sent + Received , 2)

View solution in original post

0 Karma

to4kawa
Ultra Champion

 

 

index=firewall host="HQ-5020-1.firstagain.local"
| bin _time span=1min
| stats sum(bytes_in) as Received,sum(bytes_out) as Sent by _time dest_interface
| rename dest_interface as Interface
| eval Received=Received / 1024 / 1024, Sent = Sent / 1024 / 1024
| eval Bandwidth=round(Received + Sent,2)

 

 

Viz >> Line Chart with  trellis by Interface 

 

sample:

| tstats count where index=_internal by _time span=1h sourcetype
| fields - count
| eval bytes_out=random() / 1024 , bytes_in=random() / 1024
| stats sum(bytes_out) as Sent sum(bytes_in) as Received by _time sourcetype
| rename sourcetype as Interface
| eval Bandwidth = round( Sent + Received , 2)
0 Karma

jparrenas26
Engager

Perfect, that is exactly what we were looking for.  Thank you so much!

0 Karma

to4kawa
Ultra Champion
index=firewall host="HQ-5020-1.firstagain.local"
| stats sum(bytes_in) as Received,sum(bytes_out) as Sent by dest_interface
``` bytes_in field is gone.```
| rename dest_interface as Interface

| convert memg(Recieved) memg(Sent)

| eval Bandwidth=round(Received + Sent,2)
0 Karma

jparrenas26
Engager

Thank you for the quick response.  I tried the memg command but I'm receiving an error: Error in 'convert' command: The conversion type 'memg' is invalid. The only one that works is memk.  

0 Karma

to4kawa
Ultra Champion
| tstats count where index=_internal
| eval count = (count)."g"
| convert memk(count) as gigabyte

It was the opposite, wasn't it?
Please do the eval twice.

eval Sent = bytes_out /1024/1024/1024

eval Received = byte_in /1024 /1024 /1024

0 Karma

jparrenas26
Engager

Splunk_PRTG.jpgThe first query seemed to be more of what we were looking for.  I've added a screenshot from our monitoring software, and we're looking for something similar to this as a dashboard.   My mistake on not adding this sooner.  

So basically this portion: index=firewall host="HQ-5020-1.firstagain.local" dest_interface=ethernet1/12 
would be used to show the bytes in and bytes out, and then the total bytes would be calculated to show the amount of bandwidth used.  This would be represented on the chart in Mb.  I know it's asking much, but let me know what other information is needed. 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...