Splunk Search

How to calculate Total Bandwidth Usage using bytes,bytes_in and bytes_out

vellas78
New Member

my proxy is capturing three fields such as bytes,bytes_in and bytes_out out of which in need to calculate total bandwidth utilization for onemonth. I have framed the below query
index=Proxy site="XXX"|eval BW= ((bytes_in+bytes_out)/1024)/1024
where I am adding both indound and outbound data and then converting it into Megabytes and after that the values are displaying as below
Top 10 Values Count %

0.06401729583740234 710 1.86%

0.0640115737915039 533 1.396%

0.06404876708984375 493 1.292%

0.06402873992919922 475 1.244%

0.06401443481445312 428 1.121%

0.38465213775634766 390 1.022%

0.06403446197509766 345 0.904%
But I need it to be displayed in numeric values only and it should be MB's or GB's and it should also give me overall bandwidth for onemonth

Tags (2)
0 Karma

vikramyadav
Contributor

I understood that you are trying to get total bandwidth utilization for 1 month.
Query
index=Proxy site="XXX"
| eval IO_bytes= (bytes_in+bytes_out)/1024
| eval Bytes=(bytes/1024)
| eval Total_bytes= if(IO_bytes=Bytes, Bytes,Total_bytes)
| table Bytes Total_bytes

0 Karma

jodyfsu
Path Finder

You may want to use stats instead of Top as it does other logic. I did something a little different:

search
| eval MB=(BYTES/1024)
| eval GB=(MB/1024)
| stats sum(GB) by host

0 Karma

vellas78
New Member

Hi Jodyfsu,
Thank you for the search query simplification. since i have 3 fields such as bytes,bytes_in and bytes_out but in the above search it only bytes/1024, does it mean bytes will capture the total data of both incoming and outgoing? secondly the final one stats sum(GB) so i don't want it to group by either user or host i just wanted to get total Banwidth so doing stats sum(GB) will give the over all BandWidth i think. Kindly correct me if I am wrong on any of thing explained above.

0 Karma

jodyfsu
Path Finder

Hey Vellas78, in my logs I only have the bytes so you may need to do the addition for your data.

| eval MB=((bytes_in+bytes_out)/1024)
| stats sum(MB)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...