Splunk Search

Timechart average bandwidth usage per transaction

epacke
Path Finder

Dear experts

I must confess this post and question is not properly defined. It's more a chance to pick your brains regarding investigating bandwidth usage.

We have a bunch of servers grouped by IDs. They're named as WEBXX-YY, where XX is the cluster id and YY is the node id. Each cluster serves its own application and the load is distributed between the different nodes.

My task is to investigate which application is using the most bandwidth. I ran this search to check which application uses the most bandwidth:

index=webfront sourcetype=iis host WEB* | eval hostname = split(host, "-") | eval hostname = mvindex(hostname,0)  | eval sumMB = ((cs_bytes*8)/(1024*1024) + (sc_bytes*8)/(1024*1024)) | timechart span=1m per_second(sumMB) by hostname

But since the clusters have different amounts of clients it's not a fair comparison so my though was to find the average bandwidth per transaction per application. Defining transaction by c_ip and maxpause=1s, is there a way of measuring the average bandwidth per transaction per cluster?

The result table would be:
"average per_second(sumMB) per transaction", cluster

I would like to present this with a timechart.

Hope the question is somewhat clear?

Suggestions regarding alternative approaches is most welcome!

Kind regards,
Patrik

0 Karma

woodcock
Esteemed Legend

Maybe like this (will surely need adjusting, but it should get you started):

... | transaction c_ip maxpause=1s | eval serial=_serial | stats first(duration) AS durationSeconds sum(eval(((cs_bytes*8)/(1024*1024) + (sc_bytes*8)/(1024*1024)))) AS sumMB BY c_ip serial

The _serial part makes sure that the end result is the sumMB over the entire transaction. You will pipe the results of this search to more stats stuff (e.g. | eval bandwidth=sumMB/durationSeconds | stats ...)

woodcock
Esteemed Legend

This can easily be done if you have fields defined for transactionID (or something that allows us to generate one) and application; do you?

0 Karma

epacke
Path Finder

Thank you for your answer!

I was more thinking to use

transaction c_ip maxpause=1s

to identify individual page loads.

Will that work?

/Patrik

0 Karma

woodcock
Esteemed Legend

Yes, that seems reasonable, given that there are no correlating fields that can be used to link the events.

0 Karma

epacke
Path Finder

Thanks for your answer! Do you have any idea on how to calculate the average bandwidth per transaction per host?

0 Karma

woodcock
Esteemed Legend

Do all transactions start with the same event and can that event be identified by a field value or string inside the event?

0 Karma

epacke
Path Finder

Thanks for your answer. My intention is to make each user click/page load a transaction. So for instance if the user access /index.html that in turn refers to style.css, script.js there will be three requests:
index.html
style.css
script.js

These IIS log file entries would be considered as one transaction. Then if the user waits for more than one second before the next click it'd be considered as a new transaction.

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...