I need to find a way to figure out how to get the Max Mbps per day over the course of a certain time frame, say a week. I currently have a search that gets some information from the Palo Alto logs, but some of the data looks incorrect, we only have a 100 Mbps connection to the outside world, which is "Ethernet 1/12"... What is wrong with this search and how can I get the results I am looking for? Thanks in advance, Chris.
index=pan* src_interface="ethernet1/12" | bin _time span=1s | stats sum(eval((bytes_in*8/1024)/1024)) as BI by _time | eval day=_time | bin day span=1d | eventstats max(BI) as "Max BI" by day | dedup "Max BI" | eval date_string=strftime(_time,"%m/%d/%y %H:%M:00") | chart first("Max BI") as "Max Mbps In" by date_string
And the results (incorrect):
hi ckozma,
why did you multiple bytes_in by 8?
stats sum(eval((bytes_in*8/1024)/1024)) as BI by _time
I was trying to convert bytes to bits so that I could get Mbps (megabits per second)
have you tried to do the eval before the stats? not sure if that'll help. is bytes_in
actually bytes? You can bin _time and just rename it, and i'm not sure you need the dedup without looking at the data.
index=pan* src_interface="ethernet1/12" | bin _time span=1s |eval BI=bytes_in/131072| stats sum(BI) as BI by _time | bin _time as day span=1d | eventstats max(BI) as "Max BI" by day| eval date_string=strftime(_time,"%m/%d/%y %H:%M:00") | chart first("Max BI") as "Max Mbps In" by date_string
Without the dedup I get multiple entries per day when I am just looking for the max per day (one max per day). With that being said, you results look much closer to what I am looking for. I am currently checking to see if the numbers add up.