Extract a specific value and make a visualization ...

john_snow00 · ‎10-17-2023

I have regular traffic passing through my server. The server has the IP 10.41.6.222

My goal is to extract the Rate /sec passing through the server and to be able to see theRate /sec in a graph an having x asis showing time and y axis Rate /sec (extracted values).

-----------------------------------------------------------------------------------------------------------------------------------

Rate 0/sec : Bytes 9815772 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 402/sec : Bytes 9816135 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 139587/sec : Bytes 10004146 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 147636/sec : Bytes 10009645 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 69967/sec : Bytes 10358668 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 69967/sec : Bytes 10361672 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 69967/sec : Bytes 10364579 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 69967/sec : Bytes 10364667 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 49661/sec : Bytes 10371887 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 217793/sec : Bytes 10700517 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 353829/sec : Bytes 10944230 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 93689/sec : Bytes 10946290 : from owa client to vs_owa with address 10.41.6.166:443:10.41.6.222Rate 82030/sec : Bytes 10950753 : from owa client to vs_owa with address

john_snow00 · ‎10-17-2023

Thank you Giuseppe. Can you please explain line after line ?

gcusello · ‎10-17-2023

Hi @john_snow00,

I try to explain:

<your_search> --- it's your search, e.g. index=your_index sourcetype=your_sourcetype ---
| rex "Rate\s+(?<Bytes>\d+)\/sec" --- Bytes field extraction ---
| eval MB=Bytes/1024/1024 --- change measure of Bytes field from bytes to MB ----
| timechart sum(MB) AS MB --- sum of the traffic foe time periods, it's possible to define this span period ---

Ciao.

Giuseppe

john_snow00 · ‎10-17-2023

Thank you for the explanation. The rate in seconds you see above are produced by Loadbalancer upon incoming TCP requests. The logs are later pushed to splunk for analysis.

I d'ont want to carry any futher calculation. I just want to extract the rate /sec from the raw and present it upon time (x-axis).

gcusello · ‎10-17-2023

Hi @john_snow00,

sorry, where is the timestamp?

if it isn't contained in the event, it's added by Splunk.

Anyway, you could run something like this:

<your_search>
| rex "Rate\s+(?<Bytes>\d+)\/sec"
| eval MB=Bytes/1024/1024
| timechart sum(MB) AS MB

I also added the regex to extract the field, if you already have it, don't use my regex.

Ciao.

Giuseppe

Extract a specific value and make a visualization with time

field extraction

regex

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation