Splunk Search

Network_Traffic DM

Jacobgruen81
Loves-to-Learn Everything

Splunk - Bytes Out/In are not going into Network_Traffic Data Model correctly. How would I troubleshoot to find the answer in getting the right calculation. And where in Splunk would I be able to edit this? as in what settings please provide

0 Karma

wenthold
Communicator

You'll have to make sure your data is CIM compliant. The root search for the datamodel is:

(`cim_Network_Traffic_indexes`) tag=network tag=communicate

You can build a search to vet the data that the datamodel is processing using the root search and showing the fields in tabular format:

(`cim_Network_Traffic_indexes`) tag=network tag=communicate | table _time action app bytes bytes_in bytes_out dest dest_ip src src_ip

Note that there's a lot more CIM fields, but since you're asking about bytes I'll focus on that. I'm assuming you have data that is tagged correctly, and that you have null values for bytes, bytes_in and bytes_out - if that's the case you have to make sure those fields exist in the source data, and that those values are all number values and not text values. All of the bytes value fields in the datamodel are calculated:

The bytes calculation is case(isnum(bytes),bytes,isnum(bytes_in) AND isnum(bytes_out),bytes_in+bytes_out,1=1,null())
The bytes_in calculation is case(isnum(bytes_in),bytes_in,isnum(bytes) AND isnum(bytes_out),bytes-bytes_out,1=1,null())
The bytes_out calculation is case(isnum(bytes_out),bytes_out,isnum(bytes) AND isnum(bytes_in),bytes-bytes_in,1=1,null())

If your source data does not have the proper combination of bytes, bytes_in, and/or bytes_out or those values are not numeric values then you will wind up with null values for the bytes field values in your datamodel.

If you have values that are non-numeric then you'll have to do some normalization work on your source data to convert them to numeric fields.

richgalloway
SplunkTrust
SplunkTrust

Look at the definition of the DM to see what fields it uses for Bytes In and Bytes Out then verify your source has those fields. If it does not, add aliases in props.conf. Don't try to edit the DM itself.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...