Solved: Get Percentage of Network bandwidth

tysonjhayes · ‎05-06-2015

I'm looking to define a query that allows me to query the Network Interface for all my machines and create a percentage utilization for each interface. I'm having a bit of trouble with it though.

What I'm ultimately looking for is to take the TotalBytes being used on my Network Interface and divide by my current bandwidth. Basically: ((totalBytes*8)/CurrentBandwidth) * 100

I've come up with the following query but CurrentBandwidth doesn't come back with anything and I get an error that I'm interpreting to me an I'm dividing by zero.

index=index host=host object="Network Interface" counter="Bytes Total/sec"
    | bucket _time span=1m
    | stats avg(Value) as bytesByHost by _time,host
    | stats sum(bytesByHost) as totalBytes by _time
    | append [search index=index host=host object="Network Interface" counter="Current Bandwidth" instance!="isatap.*"
        | bucket _time span=1m 
        | stats avg(Value) as connsByHost by _time | stats sum(connsByHost) as CurrentBandwidth by _time ]
    | stats exact(((totalBytes*8)/CurrentBandwidth) * 100)

Error: Error in 'stats' command: The argument 'exact(((totalBytes*8)/CurrentBandwidth) * 100)' is invalid.

Any assistance would be greatly appreciated.

stephanefotso · ‎05-06-2015

Exact(X) is a function for Eval and Where

Try

 index=index host=host object="Network Interface" counter="Bytes Total/sec"
     | bucket _time span=1m
     | stats avg(Value) as bytesByHost by _time,host
     | stats sum(bytesByHost) as totalBytes by _time
     | append [search index=index host=host object="Network Interface" counter="Current Bandwidth" instance!="isatap.*"
         | bucket _time span=1m 
         | stats avg(Value) as connsByHost by _time | stats sum(connsByHost) as CurrentBandwidth by _time ]
     | eval total= exact(totalBytes*8/CurrentBandwidth * 100)
 | stats  values(total)

SGF

View solution in original post

woodcock · ‎05-06-2015

"exact" is not a stats function:
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Stats

tysonjhayes · ‎05-06-2015

Thanks! That's been corrected.

stephanefotso · ‎05-06-2015

Exact(X) is a function for Eval and Where

Try

 index=index host=host object="Network Interface" counter="Bytes Total/sec"
     | bucket _time span=1m
     | stats avg(Value) as bytesByHost by _time,host
     | stats sum(bytesByHost) as totalBytes by _time
     | append [search index=index host=host object="Network Interface" counter="Current Bandwidth" instance!="isatap.*"
         | bucket _time span=1m 
         | stats avg(Value) as connsByHost by _time | stats sum(connsByHost) as CurrentBandwidth by _time ]
     | eval total= exact(totalBytes*8/CurrentBandwidth * 100)
 | stats  values(total)

SGF

tysonjhayes · ‎05-06-2015

Tried your function and while I'm not getting the error anymore (thanks!) I'm not getting any data for total. It still looks like CurrentBandwidth is null.

When I run the appended search by itself I'm getting results but put it in the append I'm getting nothing...

stephanefotso · ‎05-06-2015

Try this

  index=index host=host object="Network Interface" counter="Bytes Total/sec"
          | bucket _time span=1m
          | stats avg(Value) as bytesByHost by _time,host
          | stats sum(bytesByHost) as totalBytes by _time
          | append [search index=index host=host object="Network Interface" counter="Current Bandwidth" instance!="isatap.*"
              | bucket _time span=1m 
              | eventstats avg(Value) as connsByHost by _time | stats sum(connsByHost) as CurrentBandwidth by _time ]
          | eval total= exact(totalBytes*8/CurrentBandwidth * 100)
      | stats  values(total)

SGF

tysonjhayes · ‎05-06-2015

Still getting null or 0 on CurrentBandwidth. The query by itself is producing results though. I'm checking it by running the query in the brackets by itself (seeing the results), then I tried taking everything before the eval and doing a | table CurrentBandwidth (seeing rows with no data). Thanks for your assistance thus far!

stephanefotso · ‎05-06-2015

I now understand. I thing the problem should be the appen command. Change appen and try use apppencols or join. Something like this, with appendcols:

 index=index host=host object="Network Interface" counter="Bytes Total/sec"
      | bucket _time span=1m
      | stats avg(Value) as bytesByHost by _time,host
      | stats sum(bytesByHost) as totalBytes by _time
      | appendcols [search index=index host=host object="Network Interface" counter="Current Bandwidth" instance!="isatap.*"
          | bucket _time span=1m 
          | stats avg(Value) as connsByHost by _time | stats sum(connsByHost) as CurrentBandwidth by _time ]
      | eval total= exact(totalBytes*8/CurrentBandwidth * 100)
  | stats  values(total)

SGF

tysonjhayes · ‎05-06-2015

Brilliant! That works! Now, what is apppencols? I'm not seeing any documentation on it, or I'm missing something super obivous.

stephanefotso · ‎05-06-2015

here you go: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Appendcols

SGF

Get Percentage of Network bandwidth

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio