All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

*Nix App - Network Throughput Calculations

jdunlea_splunk
Splunk Employee
Splunk Employee
‎02-20-2013 02:01 PM

Hi Guys,

I have some confusions around the Interface Throughput calculations.

The following search seems to be finding the average of the DIFFERENCE between the last TX value and the current TX value. What are the TX values representing? The current upload bytes for that poll period, or the accumulated upload bytes for that interface?

index="os" sourcetype="interfaces" host=* | multikv fields name, inetAddr, RXbytes, TXbytes | streamstats current=f last(TXbytes) as lastTX, last(RXbytes) as lastRX by Name | eval time=_time | strcat Name "-" inetAddr "@" host Interface_Host | eval RX_Thruput_KB = (lastRX-RXbytes)/1024 | eval TX_Thruput_KB = (lastTX-TXbytes)/1024 | timechart eval(sum(TX_Thruput_KB)/dc(time)) by Interface_Host

What are we trying to calculate here? Also, is this an accurate representation of bandwidth usage for that interface on a system?

Cheers,

John

0 Karma
Reply

jdunlea_splunk
Splunk Employee
Splunk Employee
‎02-20-2013 02:36 PM

Hi tiberious726,

So you are saying that the SEARCH is calculating the "accumulated total bytes", or that the straight TX value in the events is the "accumulated total bytes" (so that is why we are finding the difference between TXbytes and lastTX in this search)? The latter makes the most sense to me. What is strange , is that for some of my instances, I am seeing negative results for the different between the current TXbytes value and the lastTX.... which does not make any sense?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...