Splunk Search

Spread one event across multiple bins

chca
Path Finder

I need to determine peek bandwidth from IIS logs. The logs have both the amount of bytes sent and the time taken (in milliseconds). I believe I need to setup a timechart, and then apply one event to multiple timespans within the timechart. Each timespan should sum the bytes sent divided by the number of timespans the event covers. For example, if a request took 3 minutes to transfer, and the timespan is 1 minute, then this event would add 1 minute to three consecutive timespans.

I cannot determine how to do this from the documentation. Any suggestions appreciated.

UPDATE

I just discovered multivalue expansion and the ability to create your own search commands. I'm considering creating a new streaming command that takes three parameters: original value, divisor and seed. So if I have 5 as the value, 1 as the divisor and 3 as the seed, it will return a new field with '3,4,5,6,7.' Then I can use mvexpand to create multiple events based upon the returned field. In the real scenario, this would be the duration, span and time from the IIS log file, so that it returns a series of times as a multivalue. After expanding them into multiple events, I could simply use timechart.

Any thoughts appreciated--or help writing the command. 😉

Tags (3)

dwaddle
SplunkTrust
SplunkTrust

I'm not sure this is (easily) possible. I don't think timechart lets you count an event in multiple bins. Also, this is a less than ideal way of computing peak bandwidth. Some things that are included in your bandwidth usage but won't be counted here include:

  • TCP and IP headers for every packet
  • Acknowledgements
  • Retransmissions
  • Connection setup and teardown messages (SYN, SYN+ACK, FIN)

I think I would look at SNMP interface counters as a better alternative for this type of data


Updates

SNMP, however, does not count different types of data - it is simply the number of bytes through the interface over a time period. You might be able to do it with Netflow data, but that is getting more complicated.

Also, something to think about is that peak bandwidth utilization on an Ethernet type circuit is (over a short enough period of time) ALWAYS 100%. (That is, it is either transmitting, or it is not - when it is transmitting it is 100% used, when it is not it is 0% used).

When you look at larger time periods (a second or larger), it is an average utilization over that time. Traditional "what's my bandwidth usage" tools look at bytes transmitted over a time period to compute a bandwidth in bytes/sec. The smaller the time window, the more accurately the average approaches the peak.

One approximation that may work for you is a 5 minute average. As assumption here is that few of your transfers are > 5 minutes, and a 5 minute average is a pretty reasonable time range. So we could do something like this:

your search stuff 
| eval _time = _time - duration 
| bucket span=5m _time
| stats sum(bytes) as totalbytes by _time
| eval avg_bytes_sec = totalbytes / 300

I adjust _time backwards by duration because IIS usually logs with a timestamp at the end of the request, so to count it from the beginning you have to move back.

0 Karma

chca
Path Finder

Sorry for the delayed update. I appreciate you taking the time to think this through. Correct me if I'm wrong, but your search example is a manual version of timechart that uses per_second. This doesn't account for overlap and it dilutes the results as most request would likely be less than 30 seconds. I could reduce your example to 30 seconds rather than 5 minutes, but I'm also serving larger multimedia files like video, audio, PDF and Flash objects that would overlap several buckets.

0 Karma

chca
Path Finder

I'm not as familiar with SNMP-- can you pull events from those logs that only apply to specific requests? For example, a specific web page. The concern is that the server has a lot of communication besides web traffic that we don't want to include in this report.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...