Splunk Search

Calculating _internal log volume for a particular host

dky
New Member

Hello, I'm trying to determine how much traffic gb/mb/kb that a particular forwarder is sending in daily. I'm using the current command:

index=_internal* host="somehost.mydomain.com" | timechart span=1h avg(kb)

This is giving me values like:

5,832.547626 per hour. I'm assuming to get GB I would divide by 1024/1024?

Thanks

0 Karma
1 Solution

vasildavid
Path Finder

The license_usage.log provides data in bytes. To get the base2 representation of GiB you would indeed divide by bytes/1024/1024/1024 like below:

index=_internal host=license_manager source=*license_usage.log type="Usage" 
 | stats sum(b) as b by h
 | eval gb=round(b/1024/1024/1024, 3) 

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Are you looking for the volume of _internal data sent by that host, or are you trying to search events in _internal to determine overall volume sent by that host?

0 Karma

dky
New Member

Correct, I'm estimating how much network traffic received by a single host so I can estimate how much it would cost us to send this volume into the cloud.

0 Karma

vasildavid
Path Finder

The license_usage.log provides data in bytes. To get the base2 representation of GiB you would indeed divide by bytes/1024/1024/1024 like below:

index=_internal host=license_manager source=*license_usage.log type="Usage" 
 | stats sum(b) as b by h
 | eval gb=round(b/1024/1024/1024, 3) 

dky
New Member

I wanted to get the events hourly so I came up with this:

index=_internal host=license.example.com source=*license_usage.log type="Usage" h=someforwarder.example.com | eval megabytes=b/1024/1024 | timechart sum(megabytes) 

Does this look correct to you guys? Goal is to get MB transferred each hour thorough the day.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Looks okay.

Keep in mind that this is licensed volume, not transferred volume - doesn't include internal logs or filtered events.

0 Karma

dky
New Member

Thanks for all the assistance with this.

0 Karma

dky
New Member

Thanks, I did that, but now there is no field called "type"?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

This data is generated in the License Server only, so unless you're forwarding _internal data from your License server to Indexers, you need to run this from License server Web UI.

0 Karma

dky
New Member

Thanks, worked on the license server. Let me try to apply timechart to it.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

While you're on the license master, hit up Settings -> Licensing -> Usage Report -> Last 30 days - that should come pretty close to what you're looking for out of the box.

0 Karma

dky
New Member

What is host=license_manager? I don't have that host so the search returns null.

0 Karma

vasildavid
Path Finder

Replace "license_manager" with the host that is acting as your license manager.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...