Solved: Calculating _internal log volume for a particular ...

dky · ‎03-08-2016

Hello, I'm trying to determine how much traffic gb/mb/kb that a particular forwarder is sending in daily. I'm using the current command:

index=_internal* host="somehost.mydomain.com" | timechart span=1h avg(kb)

This is giving me values like:

5,832.547626 per hour. I'm assuming to get GB I would divide by 1024/1024?

Thanks

vasildavid · ‎03-08-2016

The license_usage.log provides data in bytes. To get the base2 representation of GiB you would indeed divide by bytes/1024/1024/1024 like below:

index=_internal host=license_manager source=*license_usage.log type="Usage" 
 | stats sum(b) as b by h
 | eval gb=round(b/1024/1024/1024, 3)

View solution in original post

martin_mueller · ‎03-08-2016

Are you looking for the volume of _internal data sent by that host, or are you trying to search events in _internal to determine overall volume sent by that host?

dky · ‎03-08-2016

Correct, I'm estimating how much network traffic received by a single host so I can estimate how much it would cost us to send this volume into the cloud.

vasildavid · ‎03-08-2016

The license_usage.log provides data in bytes. To get the base2 representation of GiB you would indeed divide by bytes/1024/1024/1024 like below:

index=_internal host=license_manager source=*license_usage.log type="Usage" 
 | stats sum(b) as b by h
 | eval gb=round(b/1024/1024/1024, 3)

dky · ‎03-09-2016

I wanted to get the events hourly so I came up with this:

index=_internal host=license.example.com source=*license_usage.log type="Usage" h=someforwarder.example.com | eval megabytes=b/1024/1024 | timechart sum(megabytes)

Does this look correct to you guys? Goal is to get MB transferred each hour thorough the day.

martin_mueller · ‎03-09-2016

Looks okay.

Keep in mind that this is licensed volume, not transferred volume - doesn't include internal logs or filtered events.

dky · ‎03-09-2016

Thanks for all the assistance with this.

dky · ‎03-09-2016

Thanks, I did that, but now there is no field called "type"?

somesoni2 · ‎03-09-2016

This data is generated in the License Server only, so unless you're forwarding _internal data from your License server to Indexers, you need to run this from License server Web UI.

dky · ‎03-09-2016

Thanks, worked on the license server. Let me try to apply timechart to it.

martin_mueller · ‎03-09-2016

While you're on the license master, hit up Settings -> Licensing -> Usage Report -> Last 30 days - that should come pretty close to what you're looking for out of the box.

dky · ‎03-09-2016

What is host=license_manager? I don't have that host so the search returns null.

vasildavid · ‎03-09-2016

Replace "license_manager" with the host that is acting as your license manager.

Calculating _internal log volume for a particular host

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout