Splunk Search

How to show AP and switch usage (Mb/s) over a 24hr period from Meraki syslogs?

phongshader
New Member

I'm a total newb to both Meraki and Splunk...not sure if this is a Meraki or a Splunk question...
I've been sifting through Meraki syslogs with Splunk and creating searches and dashboards but I'm unsure of what I should search for to get usage and bandwidth data out of the logs into a useable/readable form. What I want to accomplish is to get a dashboard that will show AP and switch usage (Mb/s) over a 24hr period, number of clients per AP over a 24hr period, essentially mimic the Meraki network summary report but through syslog/Splunk.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@phongshader - Did the answer provided by DalJeanis help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

To do that, think in these terms - you need to produce "atoms" of the information you need, from the Meraki logs.

To produce "number of clients per AP over a 24 hour period", you need to extract a record with _time, client, and AP. Then you do

(the search ) 
|  bin _time span=1h
|  stats count as eventcount by _time, client, AP

...that combination gets you one record per client per AP per hour -- with the additional information of the count of events in that hour, which we are going to ignore.

Next, if you want to know how many distinct clients were serviced in each hour, you'd do this -

| stats dc(client)  by _time, AP

Or how many distinct clients were handled in the average day, then you could change the extract code sample to bin the records by day (1d), or you could also just (instead of the above stats command) feed the hourly results into a charting command that would span them on another time frame like so -

| timechart span=1d dc(client) by AP
0 Karma

EdgarAllenProse
Path Finder

can you give a sample log? Or fields and their values? Anonymized of course.

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...