Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to find the Max Mbps transferred per day?

ckozma
New Member
‎04-17-2017 09:39 AM

I need to find a way to figure out how to get the Max Mbps per day over the course of a certain time frame, say a week. I currently have a search that gets some information from the Palo Alto logs, but some of the data looks incorrect, we only have a 100 Mbps connection to the outside world, which is "Ethernet 1/12"... What is wrong with this search and how can I get the results I am looking for? Thanks in advance, Chris.

index=pan*  src_interface="ethernet1/12" | bin _time span=1s | stats sum(eval((bytes_in*8/1024)/1024)) as BI by _time | eval day=_time | bin day span=1d | eventstats max(BI) as "Max BI" by day | dedup "Max BI" | eval date_string=strftime(_time,"%m/%d/%y %H:%M:00") | chart first("Max BI") as "Max Mbps In" by date_string

And the results (incorrect):
alt text

Preview file
58 KB
0 Karma
Reply

adonio
Ultra Champion
‎04-17-2017 10:36 AM

hi ckozma,
why did you multiple bytes_in by 8?
stats sum(eval((bytes_in*8/1024)/1024)) as BI by _time

0 Karma
Reply

ckozma
New Member
‎04-17-2017 10:38 AM

I was trying to convert bytes to bits so that I could get Mbps (megabits per second)

0 Karma
Reply

cmerriman
Super Champion
‎04-17-2017 10:30 AM

have you tried to do the eval before the stats? not sure if that'll help. is bytes_in actually bytes? You can bin _time and just rename it, and i'm not sure you need the dedup without looking at the data.

index=pan*  src_interface="ethernet1/12" | bin _time span=1s |eval BI=bytes_in/131072| stats sum(BI) as BI by _time | bin _time as day span=1d | eventstats max(BI) as "Max BI" by day| eval date_string=strftime(_time,"%m/%d/%y %H:%M:00") | chart first("Max BI") as "Max Mbps In" by date_string
0 Karma
Reply

ckozma
New Member
‎04-17-2017 10:44 AM

Without the dedup I get multiple entries per day when I am just looking for the max per day (one max per day). With that being said, you results look much closer to what I am looking for. I am currently checking to see if the numbers add up.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...