Splunk Search

Calculating data throughput for cloud

taijusoup64
Loves-to-Learn Lots

I'm trying to calculate the data throughput for a cloud computing solution that will be charging based on outgoing data throughput.

We're collecting on the link using security onion and forwarding those zeek logs to our splunk instance. 

index="zeek" source="conn.log"
((id.orig_h IN `front end`) AND NOT (id.resp_h IN `backend`)) OR 
((id.resp_h IN `front end`) AND NOT (id.orig_h IN `backend`))
| fields orig_bytes, resp_bytes
| eval terabytes=(((((resp_bytes+orig_bytes)/1024)/1024)/1024)/1024)
| stats sum (terabytes)



This gives me traffic throughput in and out of the network for external connections however what I need is to calculate orig_bytes only when the id.orig_h is my `frontend` and resp_bytes when id.resp_h is `frontend`.
I can get them separately by just doing two different searches and then adding the results up by hand. But I'm sure theres a way to do what I want to in one search using some sort of conditional. I've tried using where and eval if but I'm just not skilled enough it seems. 

Labels (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @taijusoup64 ,

let me understand: you want to calculate bytes only when:  id.orig_h="frontend" AND id.resp_h="frontend", is this correct?

in this case add the condition to the eval statement:

index="zeek" source="conn.log"
((id.orig_h IN `front end`) AND NOT (id.resp_h IN `backend`)) OR 
((id.resp_h IN `front end`) AND NOT (id.orig_h IN `backend`))
| fields orig_bytes, resp_bytes
| eval terabytes=((if(id.resp_h="front end",resp_bytes,0))+(if(id.orig_h="front end",orig_bytes,0)))/1024/1024/1024/1024
| stats sum (terabytes)

Ciao.

Giuseppe

why did you used all that parenthesis?

Ciao.

Giuseppe

0 Karma

taijusoup64
Loves-to-Learn Lots

apologies for all the parenthesis, I was just trying to keep things straight in my head. There's definitely a better way to frame the query. 

I tried what you suggested with:

if(id.resp_h="front end",resp_bytes,0)

even simplifying the expression to filter on one ip address at a time gives an error. trying to use it like this 

index="zeek" source="conn.log"
((id.orig_h IN `front end`) AND NOT (id.resp_h IN `backend`)) OR 
((id.resp_h IN `front end`) AND NOT (id.orig_h IN `backend`))
| fields orig_bytes, resp_bytes
| eval terabytes=((if(id.resp_h=192.168.0.1,resp_bytes,0))+(if(id.orig_h=192.168.0.1,orig_bytes,0)))/1024/1024/1024/1024
| stats sum (terabytes)

I just get an error back from splunk. 
Error in EvalCommand: the number 192.168.0.1 is invalid

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @taijusoup64,

use always quotes in the eval condition:

index="zeek" source="conn.log"
((id.orig_h IN `front end`) AND NOT (id.resp_h IN `backend`)) OR 
((id.resp_h IN `front end`) AND NOT (id.orig_h IN `backend`))
| fields orig_bytes, resp_bytes
| eval terabytes=((if(id.resp_h="192.168.0.1",resp_bytes,0))+(if(id.orig_h="192.168.0.1",orig_bytes,0)))/1024/1024/1024/1024
| stats sum (terabytes)

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...