calculate nic interface throughput

ericca · ‎02-08-2013

Below is the search from the *nix app for interface throughput, but I have a question regarding the eval command for the timechart. Does the “dc(time)” indicate that we are dividing by the timeframe in seconds? Example: For a 60 min timeframe are we dividing by 3600 seconds?

How do I calculate duration, when _time is the only value available?

timechart eval(sum(TX_Thruput_KB)/dc(time))

index="os" sourcetype="interfaces" host=* | multikv fields name, inetAddr, RXbytes, TXbytes | streamstats current=f last(TXbytes) as lastTX, last(RXbytes) as lastRX by Name | eval time=_time | strcat Name "-" inetAddr "@" host Interface_Host | eval RX_Thruput_KB = (lastRX-RXbytes)/1024 | eval TX_Thruput_KB = (lastTX-TXbytes)/1024 | timechart eval(sum(TX_Thruput_KB)/dc(time)) by Interface_Host

ericca · ‎02-08-2013

solution provided by Ron Naken
old - timechart eval(sum(TX_Thruput_KB)/dc(time)) by Interface_Host
new - timechart per_second(RX_Thruput_mbits) by Interface_Host

Full search:
index="os" sourcetype="interfaces"
| multikv fields name, inetAddr, RXbytes, TXbytes
| streamstats current=f last(TXbytes) as lastTX, last(RXbytes) as lastRX by Name
| eval time=_time | strcat Name "-" inetAddr "@" host Interface_Host
| eval RX_Thruput_KB = (lastRX-RXbytes)/1024
| eval TX_Thruput_KB = (lastTX-TXbytes)/1024
| eval RX_Thruput_mbits=(RX_Thruput_KB).0078125
| eval TX_Thruput_mbits=(RX_Thruput_KB).0078125
| timechart per_second(RX_Thruput_mbits) by Interface_Host

calculate nic interface throughput

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!