show send and receive from internet to my ftp serv...

khanlarloo · ‎02-13-2019

i want to show the how much user send and receive from the internet to my ftp server,is my search command right?
index="fw" policyid=143 |eval send=round((bytes_out)/131072,2) |eval receive=round((bytes_in)/131072,2) |search send > 0 |timechart span=1m count by send receive
it shows the count of the send but i don't want to show send based on count

woodcock · ‎02-16-2019

Try this:

index="fw" policyid=143
| timechart span=1m sum(bytes_out) AS sent sum(bytes_in) AS received BY user
| foreach sent* received* [ eval <<FIELD>> = round('<<FIELD>>'/131072, 2) ]
|eval send=round((bytes_out)/131072,2) |eval receive=round((bytes_in)/131072,2)

DMohn · ‎02-13-2019

You are using the count command here, hence it is showing you counts. If you want to have the sum of the transferred data, use sum instead...

index="fw" policyid=143 |eval send=round((bytes_out)/131072,2) |eval receive=round((bytes_in)/131072,2) |search send > 0 |timechart span=1m sum(send) as sent, sum(receive) as received

khanlarloo · ‎02-15-2019

it doesn't show the correct bandwidth

DMohn · ‎02-16-2019

Can you post some example log lines, this would make it easier to help...

show send and receive from internet to my ftp server

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms