Splunk Search

How to calculate bandwidth utilization on an snmp interface from one point to another

bidahor13
Path Finder

Hi,

I keep getting negative values on my chart when i run my search below.All I'm trying to do is calculate the bandwidth utilization from my switches to another. Put into consideration - assuming the switches are in different building location. I'' ll be glad if someone could help me out.

Here is my search below:

index=snmp dst_device="mdf1" src_device="mdf2"

| delta snmpIfInOctets as transferedIn|delta snmpIfOutOctets as transferedOut
|delta _time as period
| eval transferedBitsIn=transferedIn*8/period|eval transferedBitsOut=transferedOut*8/period| fields + _time, source, snmpIfSpeed, transferedBitsIn, transferedBitsOut| timechart span=10m sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source

Tags (1)
0 Karma

woodcock
Esteemed Legend

Why are you doing it with such discrete calculations? Why not do it in a much simpler and broader way, like this:

 index=snmp | eval link=if(src_device<dst_device, src_device, dst_device) . "<->" . if(src_device<dst_device, dst_device, src_device) | stats earliest(_time) AS firstTime latest(_time) AS lastTime sum(snmpIfInOctets) as InputBits sum(snmpIfOutOctets) as outputBits by link | eval TotalBytes = 8*(inputBits + outputBits) | eval Bandwidth=TotalBytes/(lastTime-firstTime)
0 Karma

bidahor13
Path Finder

This looks good by the the way . Is there a way to add a spark-line to show the bandwidth utilization for each link (src_device, dst_device)?

0 Karma

bidahor13
Path Finder

Oops, what about the bandwidth result? It wasn't used in your suggested search above?

0 Karma

woodcock
Esteemed Legend

The search that I gave you calculates a single bandwidth value for each "link" but you have to "use" it as you see fit (I don't know what your end goal is). As far as sparkline, you can do that like this:

index=snmp | eval link=if(src_device<dst_device, src_device, dst_device) . "<->" . if(src_device<dst_device, dst_device, src_device) | bucket _time span=1h | stats earliest(_time) AS firstTime latest(_time) AS lastTime sum(snmpIfInOctets) as InputBits sum(snmpIfOutOctets) as outputBits by link _time | eval TotalBytes = 8*(inputBits + outputBits) | eval Bandwidth=TotalBytes/(lastTime-firstTime) | stats sparkline(avg(Bandwidth),1h) as BandwidthPerHour
0 Karma

bidahor13
Path Finder

Hello Woodcook,

So, i tried the search you sent- But, there are no data or
sparkline data coming up?

0 Karma

woodcock
Esteemed Legend

Your comment was truncated but the only way that I can see for it not to work is if you did not run it for more than an hour. Try changing the 1h to 1m instead.

0 Karma

bidahor13
Path Finder

Same problem no report coming up on Splunk. Just data on the Events.

0 Karma

woodcock
Esteemed Legend

You should probably start over with a new question so that you can start with a concise description and so that more people will take a fresh look at it.

0 Karma

MuS
SplunkTrust
SplunkTrust

if you want to search more than an hour use 1mon instead of 1m - m is for minutes http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Specifytimemodifiersinyoursearch#Specify_re...

0 Karma

woodcock
Esteemed Legend

Too many deltas. Each event already has the bytes transferred; you just need how long it took. Try this:

index=snmp dst_device="mdf1" src_device="mdf2" |delta _time as period | eval transferedBitsIn=snmpIfInOctets*8/period | eval transferedBitsOut=snmpIfOutOctets*8/period | timechart span=10m sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source
0 Karma

bidahor13
Path Finder

Hi Woodcook,

Thanks for the feedback. I think we are almost there. But, for some reason I keep getting this error message whenever I try to populate my graph when running the search over 7 days or 30 days : See below

These results may be truncated. This visualization is configured to display a maximum of 1000 results per series, and that limit has been reached.

Also, why do I get negative value for each link ? I'm more concerned about getting the aggregate bandwidth usage over 30 days .

0 Karma

woodcock
Esteemed Legend

I don't know what you mean by each link but if all of your values are negative, you can fix it by reversing the events like this:

index=snmp dst_device="mdf1" src_device="mdf2" |reverse | delta _time as period | eval transferedBitsIn=snmpIfInOctets*8/period | eval transferedBitsOut=snmpIfOutOctets*8/period | timechart span=10m sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source

As far as the truncatoin warning, it is just as it says: you need to be sure to limit the number of points on the graph to < 1000. To do this, you need to enlarge your timechart from span=10m to something like span=1h (or maybe even larger for 30 days). If you need aggregate, why are you using timechart? Why are you not generating a single value like this with stats?

index=snmp dst_device="mdf1" src_device="mdf2" |reverse | delta _time as period | eval transferedBitsIn=snmpIfInOctets*8/period | eval transferedBitsOut=snmpIfOutOctets*8/period | stats sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source
0 Karma

bidahor13
Path Finder

So, this is what I'm trying to achieve : I want o calculate the aggregate bandwidth(xxGB/s) for each link (for instance A1-MDF1 -> B2-MDF1) .so, i can evaluate a 30 days 95th percent utilization on each link ( like A1-MDF1 -> B2-MDF1) . Hope that helps.

0 Karma

bidahor13
Path Finder

Hi somesoni2,

here a line of my log file from one of my switches :

1199999: Jul 29 22:33:01: %SEC-1-IP------: list VLAN64_RS_Out permitted udp (TenGigabitEthernet5/1 ) -> (port number), 1 packet

0 Karma

somesoni2
Revered Legend

Could you provide some sample logs on how your events looks like?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!