Splunk - Bytes Out/In are not going into Network_Traffic Data Model correctly. How would I troubleshoot to find the answer in getting the right calculation. And where in Splunk would I be able to edit this? as in what settings please provide
You'll have to make sure your data is CIM compliant. The root search for the datamodel is:
(`cim_Network_Traffic_indexes`) tag=network tag=communicate
You can build a search to vet the data that the datamodel is processing using the root search and showing the fields in tabular format:
(`cim_Network_Traffic_indexes`) tag=network tag=communicate | table _time action app bytes bytes_in bytes_out dest dest_ip src src_ip
Note that there's a lot more CIM fields, but since you're asking about bytes I'll focus on that. I'm assuming you have data that is tagged correctly, and that you have null values for bytes, bytes_in and bytes_out - if that's the case you have to make sure those fields exist in the source data, and that those values are all number values and not text values. All of the bytes value fields in the datamodel are calculated:
The bytes calculation is case(isnum(bytes),bytes,isnum(bytes_in) AND isnum(bytes_out),bytes_in+bytes_out,1=1,null())
The bytes_in calculation is case(isnum(bytes_in),bytes_in,isnum(bytes) AND isnum(bytes_out),bytes-bytes_out,1=1,null())
The bytes_out calculation is case(isnum(bytes_out),bytes_out,isnum(bytes) AND isnum(bytes_in),bytes-bytes_in,1=1,null())
If your source data does not have the proper combination of bytes, bytes_in, and/or bytes_out or those values are not numeric values then you will wind up with null values for the bytes field values in your datamodel.
If you have values that are non-numeric then you'll have to do some normalization work on your source data to convert them to numeric fields.
Look at the definition of the DM to see what fields it uses for Bytes In and Bytes Out then verify your source has those fields. If it does not, add aliases in props.conf. Don't try to edit the DM itself.