Splunk Search

Calculating data throughput for cloud

taijusoup64
Loves-to-Learn Lots

I'm trying to calculate the data throughput for a cloud computing solution that will be charging based on outgoing data throughput.

We're collecting on the link using security onion and forwarding those zeek logs to our splunk instance. 

index="zeek" source="conn.log"
((id.orig_h IN `front end`) AND NOT (id.resp_h IN `backend`)) OR 
((id.resp_h IN `front end`) AND NOT (id.orig_h IN `backend`))
| fields orig_bytes, resp_bytes
| eval terabytes=(((((resp_bytes+orig_bytes)/1024)/1024)/1024)/1024)
| stats sum (terabytes)



This gives me traffic throughput in and out of the network for external connections however what I need is to calculate orig_bytes only when the id.orig_h is my `frontend` and resp_bytes when id.resp_h is `frontend`.
I can get them separately by just doing two different searches and then adding the results up by hand. But I'm sure theres a way to do what I want to in one search using some sort of conditional. I've tried using where and eval if but I'm just not skilled enough it seems. 

Labels (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @taijusoup64 ,

let me understand: you want to calculate bytes only when:  id.orig_h="frontend" AND id.resp_h="frontend", is this correct?

in this case add the condition to the eval statement:

index="zeek" source="conn.log"
((id.orig_h IN `front end`) AND NOT (id.resp_h IN `backend`)) OR 
((id.resp_h IN `front end`) AND NOT (id.orig_h IN `backend`))
| fields orig_bytes, resp_bytes
| eval terabytes=((if(id.resp_h="front end",resp_bytes,0))+(if(id.orig_h="front end",orig_bytes,0)))/1024/1024/1024/1024
| stats sum (terabytes)

Ciao.

Giuseppe

why did you used all that parenthesis?

Ciao.

Giuseppe

0 Karma

taijusoup64
Loves-to-Learn Lots

apologies for all the parenthesis, I was just trying to keep things straight in my head. There's definitely a better way to frame the query. 

I tried what you suggested with:

if(id.resp_h="front end",resp_bytes,0)

even simplifying the expression to filter on one ip address at a time gives an error. trying to use it like this 

index="zeek" source="conn.log"
((id.orig_h IN `front end`) AND NOT (id.resp_h IN `backend`)) OR 
((id.resp_h IN `front end`) AND NOT (id.orig_h IN `backend`))
| fields orig_bytes, resp_bytes
| eval terabytes=((if(id.resp_h=192.168.0.1,resp_bytes,0))+(if(id.orig_h=192.168.0.1,orig_bytes,0)))/1024/1024/1024/1024
| stats sum (terabytes)

I just get an error back from splunk. 
Error in EvalCommand: the number 192.168.0.1 is invalid

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @taijusoup64,

use always quotes in the eval condition:

index="zeek" source="conn.log"
((id.orig_h IN `front end`) AND NOT (id.resp_h IN `backend`)) OR 
((id.resp_h IN `front end`) AND NOT (id.orig_h IN `backend`))
| fields orig_bytes, resp_bytes
| eval terabytes=((if(id.resp_h="192.168.0.1",resp_bytes,0))+(if(id.orig_h="192.168.0.1",orig_bytes,0)))/1024/1024/1024/1024
| stats sum (terabytes)

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...