Reporting

Splunk instance to Splunk instance bandwidth utilization Report

ansif
Motivator

Is there a search query to check bandwidth utilized between to Splunk instance(eg:- Heavy forwarder to Heavy forwarder data being sent)?

Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

Splunk Stream will answer this for you at the wire level , but you will want in install it on the recievingside, because otherwise the traffic it generates will get included in your results too!

If you are just concerned about the volume of data being indexed you can obtain this from the metrics log, but it wont give you an accurate picture of actual bytes transmitted etc, especially because it does not take account of the compression and transmission overheads of TCP/SSL etc.

If my comment helps, please give it a thumbs up!

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Will you please try this query ?

    index=_internal host=<SOURCE HF FQDN> source="*metrics.log*" destIp=<DEST HF IP> component=Metrics group=tcpout_connections | timechart avg(tcp_KBps) AS avg_KBps
0 Karma

nickhills
Ultra Champion

This will get you some of the way there - but the metrics file wont take account of DS/management traffic (not that it would be very much) but also I believe this reports the uncompressed & decoded data volume.
Not for example taking account of compression efficiency or normal TCP overheads like SSL.
It depends what @ansif is asking for - but if its total 'bytes on the wire' I'm not sure how close the metrics log would get you.

If my comment helps, please give it a thumbs up!

harsmarvania57
SplunkTrust
SplunkTrust

Yes, it looks like metrics.log is giving compressed log information not the actual one.

0 Karma

ansif
Motivator

@harsmarvania57 : I need to know the compression ratio. So can we confirm the search result give us compressed data usage over network before it get uncompressed and indexed at receiving end.

0 Karma

nickhills
Ultra Champion

Splunk Stream will answer this for you at the wire level , but you will want in install it on the recievingside, because otherwise the traffic it generates will get included in your results too!

If you are just concerned about the volume of data being indexed you can obtain this from the metrics log, but it wont give you an accurate picture of actual bytes transmitted etc, especially because it does not take account of the compression and transmission overheads of TCP/SSL etc.

If my comment helps, please give it a thumbs up!

ansif
Motivator

So I need to install this app at receiving side Heavy forwarder to get amount data transmitted over network right?

0 Karma

nickhills
Ultra Champion

You question said "Heavy forwarder to Heavy forwarder" - so I would install it on the receiving HF.

The problem with putting it on the sending HF, is that the sending HF can essentially generate 'logs of logs'
(Not a big deal, unless you are trying to measure the volume sent as you are)

If my comment helps, please give it a thumbs up!

ansif
Motivator

@nickhillscpl : If I am sending compressed data (compress = true) from HF to HF,using this app I am able to get the compressed data being sent over network per day.Am I right?

Actually I have similar question unanswered

https://answers.splunk.com/answers/593582/search-query-to-get-amount-of-compressed-data-hitt.html

Does this answer applicable for above question too?

0 Karma

nickhills
Ultra Champion

Stream will tell you the actual volume of data 'on the wire'.
That is to say the total number of bytes sent between hosts, so yes, this will be the compressed data volume + overheads.

I'll drop a note on your other issue.

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...