Splunk Search

How to edit my search to find the Max Mbps transferred per day?

ckozma
New Member

I need to find a way to figure out how to get the Max Mbps per day over the course of a certain time frame, say a week. I currently have a search that gets some information from the Palo Alto logs, but some of the data looks incorrect, we only have a 100 Mbps connection to the outside world, which is "Ethernet 1/12"... What is wrong with this search and how can I get the results I am looking for? Thanks in advance, Chris.

index=pan*  src_interface="ethernet1/12" | bin _time span=1s | stats sum(eval((bytes_in*8/1024)/1024)) as BI by _time | eval day=_time | bin day span=1d | eventstats max(BI) as "Max BI" by day | dedup "Max BI" | eval date_string=strftime(_time,"%m/%d/%y %H:%M:00") | chart first("Max BI") as "Max Mbps In" by date_string

And the results (incorrect):
alt text

0 Karma

adonio
Ultra Champion

hi ckozma,
why did you multiple bytes_in by 8?
stats sum(eval((bytes_in*8/1024)/1024)) as BI by _time

0 Karma

ckozma
New Member

I was trying to convert bytes to bits so that I could get Mbps (megabits per second)

0 Karma

cmerriman
Super Champion

have you tried to do the eval before the stats? not sure if that'll help. is bytes_in actually bytes? You can bin _time and just rename it, and i'm not sure you need the dedup without looking at the data.

index=pan*  src_interface="ethernet1/12" | bin _time span=1s |eval BI=bytes_in/131072| stats sum(BI) as BI by _time | bin _time as day span=1d | eventstats max(BI) as "Max BI" by day| eval date_string=strftime(_time,"%m/%d/%y %H:%M:00") | chart first("Max BI") as "Max Mbps In" by date_string
0 Karma

ckozma
New Member

Without the dedup I get multiple entries per day when I am just looking for the max per day (one max per day). With that being said, you results look much closer to what I am looking for. I am currently checking to see if the numbers add up.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...