I am trying to calculate bandwidth from NetFlow data.
Each flow data has the timestamp of flow generated time, the timestamp of the first packet (%FIRST_SWITCHED), the timestamp of the last packet (%LAST_SWITCHED), and total received bytes (%IN_BYTES) and sent bytes (%OUT_BYTES).
By using these data, I can understand the average bandwidth of each flow by the following formula;
in_bps = IN_BYTES * 8 / (LAST_SWITCHED - FIRST_SWITCHED)
out_bps = OUT_BYTES * 8 / (LAST_SWITCHED - FIRST_SWITCHED)
However, I am not sure how I can create a timechart of total bandwidth of multiple flows.
Currently, _time is set by the timestamp when the flow data is received.
If I use it to derive total bandwidth like "index=netflow | timechart span=5min sum(in_bps) by PROTOCOL", it does not give me the right figure.
To derive the accurate result, I need to pick up the flow data that can meet the condition, current time >= FIRST_SWITCHED & current_time<=LAST_SWITCHED, and calculate the sum of in_bps or out_bps of each flow for that specific time.
But I have no idea how I can write such SPL to analyze multiple timestamps in a single log entry.
It would be great if someone can give me some idea to perform such task in Splunk.
Just in case, NetFlow data is like below json data;
{"22":1543571246000,"11":443,"12":"xxx.xxx.xxx.xxx","23":16550,"24":233,"14":0,"57590":91,"1":3209400,"2":2154,"4":6,"5":0,"6":27,"7":13726,"8":"yyy.yyy.yyy.yyy","57659":"FQDN of URL","10":0,"21":1543571253000}
I wrote field extractions, and each json data will be extracted to _time, LAST_SWITCHED, FIRST_SWITCHED, IN_BYTES, OUT_BYTES, PROTOCOL, and so on.
... View more