Splunking bandwidth from GTA firewalls

FiveRiversIT · ‎03-16-2012

Hello. I'm completely new to splunking and a novice with this firewall.

I'm pretty much trying to monitor bandwidth from a device in my network. I want a nice dashboard to show me this.

So the search that i am using is basically starts like

dstname=10.1.11.103 OR src=10.1.11.103

But not sure what goes next. I'm super clueless and i apologize for this thanks.

Here is a log entry, ip's ommited:

Mar 16 14:36:09 10.1.11.1 Mar 16 14:36:09 id=firewall time="2012-03-16 18:36:09" fw="00000000" pri=5 msg="Accept inbound, NAT tunnel" cat_action=pass dstname=10.1.11.103 proto=https/tcp src=10.1.11.102 srcport=4023 nat=208.x.x.134 natport=443 dnat=10.1.11.1 dnatport=4023 dst=10.1.11.103 dstport=443 rule=3 duration=134 sent=1531 rcvd=12945 pkts_sent=11 pkts_rcvd=14

FiveRiversIT · ‎03-16-2012

I'm wondering if this syntax is correct:

dstname=10.1.11.103 OR src=10.1.11.103 | timechart sum(rcvd)

lguinn2 · ‎03-16-2012

or even

dstname=10.1.11.103 OR src=10.1.11.103 |
eval tbytes= rcvd + sent |
timechart sum(tbytes)

gkanapathy · ‎03-16-2012

yes, that is exactly right. you can also do: ... | timechart sum(rcvd), sum(sent).

Splunking bandwidth from GTA firewalls

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!