Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to show AP and switch usage (Mb/s) over a 24hr period from Meraki syslogs?

phongshader
New Member
‎02-15-2017 09:44 AM

I'm a total newb to both Meraki and Splunk...not sure if this is a Meraki or a Splunk question...
I've been sifting through Meraki syslogs with Splunk and creating searches and dashboards but I'm unsure of what I should search for to get usage and bandwidth data out of the logs into a useable/readable form. What I want to accomplish is to get a dashboard that will show AP and switch usage (Mb/s) over a 24hr period, number of clients per AP over a 24hr period, essentially mimic the Meraki network summary report but through syslog/Splunk.

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎03-19-2017 07:25 PM

@phongshader - Did the answer provided by DalJeanis help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma
Reply

DalJeanis
Legend
‎02-15-2017 03:23 PM

To do that, think in these terms - you need to produce "atoms" of the information you need, from the Meraki logs.

To produce "number of clients per AP over a 24 hour period", you need to extract a record with _time, client, and AP. Then you do 

(the search ) 
|  bin _time span=1h
|  stats count as eventcount by _time, client, AP

...that combination gets you one record per client per AP per hour -- with the additional information of the count of events in that hour, which we are going to ignore.

Next, if you want to know how many distinct clients were serviced in each hour, you'd do this -

| stats dc(client)  by _time, AP

Or how many distinct clients were handled in the average day, then you could change the extract code sample to bin the records by day (1d), or you could also just (instead of the above stats command) feed the hourly results into a charting command that would span them on another time frame like so -

| timechart span=1d dc(client) by AP
0 Karma
Reply

EdgarAllenProse
Path Finder
‎02-15-2017 02:24 PM

can you give a sample log? Or fields and their values? Anonymized of course.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...