I am trying to create a report of network bytes from the Universal Forwarder, WMI is not an option for me. Here is an excerpt of the fields
5/11/12
8:30:42.863 AM
05/11/2012 08:30:42.863
collection="Network Interface"
object="Network Interface"
counter="Bytes Sent/sec"
instance="HP NC7782 Gigabit Server Adapter _3"
Value=2578.7604252584738
host=STBACKUP06 Options|
sourcetype=Perfmon:Network Interface Options|
source=Perfmon:Network Interface Options
3 » 5/11/12
8:30:42.863 AM
05/11/2012 08:30:42.863
collection="Network Interface"
object="Network Interface"
counter="Bytes Received/sec"
instance=isatap.redmond.corp.microsoft.com
Value=1523.9033187413756
host=STBACKUP06 Options|
sourcetype=Perfmon:Network Interface Options|
source=Perfmon:Network Interface Options
The counter's are different but they both use the word Value for data and I tried to use a search to join these and it failed.
source="Perfmon:Network Interface" host=stbackup06 counter="Bytes Sent/sec"|stats avg(Value) AS Bytes_in by host|join host[search source="Perfmon:Network Interface" host=stbackup06 counter="Bytes Recieved/sec"|stats avg(Value) AS Bytes_Rec by host]|timechart avg(Bytes_in) avg(Bytes_Rec)
I ended up with no data. What am I missing?
For network bytes, it can make sense to show the two values together on a graph. Try a variation on the below search, make it a stacked area chart, and see if you like the results. (Subsearches are often pretty slow, and I try to avoid them.)
host=stbackup06 counter="Bytes Sent/sec" OR counter="Bytes Received/sec" | timechart avg(Value) as Avg by counter