I'm looking to create a bandwidth chart showing the bandwidth traffic our firewall over a time period and converting the data from bytes to GB. Currently this is the search I'm running:
index=firewall host="HQ-5020-1.firstagain.local"
| stats sum(bytes_in) as Received,sum(bytes_out) as Sent by dest_interface
| rename dest_interface as Interface
| eval Bandwidth=round(bytes_in/1024/1024/1024,2)
| eval Bandwidth=Received + Sent
However the conversion is not working and I cannot figure out how to get the time period to work. It shows the interface but when I try a visualization, I only see the 1 data point where I would like to see either an "over time" type of graph.
index=firewall host="HQ-5020-1.firstagain.local"
| bin _time span=1min
| stats sum(bytes_in) as Received,sum(bytes_out) as Sent by _time dest_interface
| rename dest_interface as Interface
| eval Received=Received / 1024 / 1024, Sent = Sent / 1024 / 1024
| eval Bandwidth=round(Received + Sent,2)
Viz >> Line Chart with trellis by Interface
sample:
| tstats count where index=_internal by _time span=1h sourcetype
| fields - count
| eval bytes_out=random() / 1024 , bytes_in=random() / 1024
| stats sum(bytes_out) as Sent sum(bytes_in) as Received by _time sourcetype
| rename sourcetype as Interface
| eval Bandwidth = round( Sent + Received , 2)
index=firewall host="HQ-5020-1.firstagain.local"
| bin _time span=1min
| stats sum(bytes_in) as Received,sum(bytes_out) as Sent by _time dest_interface
| rename dest_interface as Interface
| eval Received=Received / 1024 / 1024, Sent = Sent / 1024 / 1024
| eval Bandwidth=round(Received + Sent,2)
Viz >> Line Chart with trellis by Interface
sample:
| tstats count where index=_internal by _time span=1h sourcetype
| fields - count
| eval bytes_out=random() / 1024 , bytes_in=random() / 1024
| stats sum(bytes_out) as Sent sum(bytes_in) as Received by _time sourcetype
| rename sourcetype as Interface
| eval Bandwidth = round( Sent + Received , 2)
Perfect, that is exactly what we were looking for. Thank you so much!
index=firewall host="HQ-5020-1.firstagain.local"
| stats sum(bytes_in) as Received,sum(bytes_out) as Sent by dest_interface
``` bytes_in field is gone.```
| rename dest_interface as Interface
| convert memg(Recieved) memg(Sent)
| eval Bandwidth=round(Received + Sent,2)
Thank you for the quick response. I tried the memg command but I'm receiving an error: Error in 'convert' command: The conversion type 'memg' is invalid. The only one that works is memk.
| tstats count where index=_internal
| eval count = (count)."g"
| convert memk(count) as gigabyte
It was the opposite, wasn't it?
Please do the eval twice.
eval Sent = bytes_out /1024/1024/1024
eval Received = byte_in /1024 /1024 /1024
The first query seemed to be more of what we were looking for. I've added a screenshot from our monitoring software, and we're looking for something similar to this as a dashboard. My mistake on not adding this sooner.
So basically this portion: index=firewall host="HQ-5020-1.firstagain.local" dest_interface=ethernet1/12
would be used to show the bytes in and bytes out, and then the total bytes would be calculated to show the amount of bandwidth used. This would be represented on the chart in Mb. I know it's asking much, but let me know what other information is needed.