Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my search to find the Max Mbps transferred per day?

ckozma
New Member
‎04-17-2017 09:39 AM

I need to find a way to figure out how to get the Max Mbps per day over the course of a certain time frame, say a week. I currently have a search that gets some information from the Palo Alto logs, but some of the data looks incorrect, we only have a 100 Mbps connection to the outside world, which is "Ethernet 1/12"... What is wrong with this search and how can I get the results I am looking for? Thanks in advance, Chris.

index=pan*  src_interface="ethernet1/12" | bin _time span=1s | stats sum(eval((bytes_in*8/1024)/1024)) as BI by _time | eval day=_time | bin day span=1d | eventstats max(BI) as "Max BI" by day | dedup "Max BI" | eval date_string=strftime(_time,"%m/%d/%y %H:%M:00") | chart first("Max BI") as "Max Mbps In" by date_string

And the results (incorrect):
alt text

Preview file
1 KB
0 Karma
Reply

adonio
Ultra Champion
‎04-17-2017 10:36 AM

hi ckozma,
why did you multiple bytes_in by 8?
stats sum(eval((bytes_in*8/1024)/1024)) as BI by _time

0 Karma
Reply

ckozma
New Member
‎04-17-2017 10:38 AM

I was trying to convert bytes to bits so that I could get Mbps (megabits per second)

0 Karma
Reply

cmerriman
Super Champion
‎04-17-2017 10:30 AM

have you tried to do the eval before the stats? not sure if that'll help. is bytes_in actually bytes? You can bin _time and just rename it, and i'm not sure you need the dedup without looking at the data.

index=pan*  src_interface="ethernet1/12" | bin _time span=1s |eval BI=bytes_in/131072| stats sum(BI) as BI by _time | bin _time as day span=1d | eventstats max(BI) as "Max BI" by day| eval date_string=strftime(_time,"%m/%d/%y %H:%M:00") | chart first("Max BI") as "Max Mbps In" by date_string
0 Karma
Reply

ckozma
New Member
‎04-17-2017 10:44 AM

Without the dedup I get multiple entries per day when I am just looking for the max per day (one max per day). With that being said, you results look much closer to what I am looking for. I am currently checking to see if the numbers add up.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...