Splunk Search

## How to calculate bandwidth utilization on an snmp interface from one point to another

Path Finder

Hi,

I keep getting negative values on my chart when i run my search below.All I'm trying to do is calculate the bandwidth utilization from my switches to another. Put into consideration - assuming the switches are in different building location. I'' ll be glad if someone could help me out.

Here is my search below:

index=snmp dst_device="mdf1" src_device="mdf2"

| delta snmpIfInOctets as transferedIn|delta snmpIfOutOctets as transferedOut
|delta _time as period
| eval transferedBitsIn=transferedIn*8/period|eval transferedBitsOut=transferedOut*8/period| fields + _time, source, snmpIfSpeed, transferedBitsIn, transferedBitsOut| timechart span=10m sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source

Tags (1)
Esteemed Legend

Why are you doing it with such discrete calculations? Why not do it in a much simpler and broader way, like this:

`````` index=snmp | eval link=if(src_device<dst_device, src_device, dst_device) . "<->" . if(src_device<dst_device, dst_device, src_device) | stats earliest(_time) AS firstTime latest(_time) AS lastTime sum(snmpIfInOctets) as InputBits sum(snmpIfOutOctets) as outputBits by link | eval TotalBytes = 8*(inputBits + outputBits) | eval Bandwidth=TotalBytes/(lastTime-firstTime)
``````
Path Finder

This looks good by the the way . Is there a way to add a spark-line to show the bandwidth utilization for each link (src_device, dst_device)?

Path Finder

Oops, what about the bandwidth result? It wasn't used in your suggested search above?

Esteemed Legend

The search that I gave you calculates a single bandwidth value for each "link" but you have to "use" it as you see fit (I don't know what your end goal is). As far as sparkline, you can do that like this:

``````index=snmp | eval link=if(src_device<dst_device, src_device, dst_device) . "<->" . if(src_device<dst_device, dst_device, src_device) | bucket _time span=1h | stats earliest(_time) AS firstTime latest(_time) AS lastTime sum(snmpIfInOctets) as InputBits sum(snmpIfOutOctets) as outputBits by link _time | eval TotalBytes = 8*(inputBits + outputBits) | eval Bandwidth=TotalBytes/(lastTime-firstTime) | stats sparkline(avg(Bandwidth),1h) as BandwidthPerHour
``````
Path Finder

Hello Woodcook,

So, i tried the search you sent- But, there are no data or
sparkline data coming up?

Esteemed Legend

Your comment was truncated but the only way that I can see for it not to work is if you did not run it for more than an hour. Try changing the `1h` to `1m` instead.

Path Finder

Same problem no report coming up on Splunk. Just data on the Events.

Esteemed Legend

You should probably start over with a new question so that you can start with a concise description and so that more people will take a fresh look at it.

SplunkTrust

if you want to search more than an hour use `1mon` instead of `1m` - `m` is for minutes http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Specifytimemodifiersinyoursearch#Specify_re...

Esteemed Legend

Too many deltas. Each event already has the bytes transferred; you just need how long it took. Try this:

``````index=snmp dst_device="mdf1" src_device="mdf2" |delta _time as period | eval transferedBitsIn=snmpIfInOctets*8/period | eval transferedBitsOut=snmpIfOutOctets*8/period | timechart span=10m sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source
``````
Path Finder

Hi Woodcook,

Thanks for the feedback. I think we are almost there. But, for some reason I keep getting this error message whenever I try to populate my graph when running the search over 7 days or 30 days : See below

These results may be truncated. This visualization is configured to display a maximum of 1000 results per series, and that limit has been reached.

Also, why do I get negative value for each link ? I'm more concerned about getting the aggregate bandwidth usage over 30 days .

Esteemed Legend

I don't know what you mean by `each link` but if all of your values are negative, you can fix it by reversing the events like this:

``````index=snmp dst_device="mdf1" src_device="mdf2" |reverse | delta _time as period | eval transferedBitsIn=snmpIfInOctets*8/period | eval transferedBitsOut=snmpIfOutOctets*8/period | timechart span=10m sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source
``````

As far as the truncatoin warning, it is just as it says: you need to be sure to limit the number of points on the graph to < 1000. To do this, you need to enlarge your timechart from `span=10m` to something like `span=1h` (or maybe even larger for 30 days). If you need aggregate, why are you using `timechart`? Why are you not generating a single value like this with `stats`?

``````index=snmp dst_device="mdf1" src_device="mdf2" |reverse | delta _time as period | eval transferedBitsIn=snmpIfInOctets*8/period | eval transferedBitsOut=snmpIfOutOctets*8/period | stats sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source
``````
Path Finder

So, this is what I'm trying to achieve : I want o calculate the aggregate bandwidth(xxGB/s) for each link (for instance A1-MDF1 -> B2-MDF1) .so, i can evaluate a 30 days 95th percent utilization on each link ( like A1-MDF1 -> B2-MDF1) . Hope that helps.

Path Finder

Hi somesoni2,

here a line of my log file from one of my switches :

1199999: Jul 29 22:33:01: %SEC-1-IP------: list VLAN64_RS_Out permitted udp (TenGigabitEthernet5/1 ) -> (port number), 1 packet

Revered Legend

Could you provide some sample logs on how your events looks like?

Did you miss .conf21 Virtual?

### Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Get Updates on the Splunk Community!