Reply

DHCPv4 Top Utilized Ranges

[ Edited ]
Adviser
Posts: 86
4290     1

Problem: A couple of years back I sold a massive DHCP solution to a bank, replacing around 900 MS DHCP servers. Along with this, a reporting appliance. Lo and behold, the customer was shocked that they could not easily generate a DHCP range utilization report. Sure, you could get DHCP network utilization but if your network had more than one DHCP range, it would sum up the total utilization of all ranges and reported it as a whole - possibly producing false, low utilization reports. This of course poses problems for most organisations since should be able to generate a utilization report for their DHCP ranges. So the only solution at the time was to use an API call to extract all ranges and re-order them in order of utilization % using a script.

 

So this is my meagre attempt at producing a report for that customer!

 

Notes: can't seem to find EAs attached to the network/range, and thus cannot include a filter for this but that would be the ideal case. I also hope to include drill downs for each range, producing a trending graph.

 

<form>
  <label>1_DHCPv4 Top Utilized Ranges</label>
  <description>DHCPv4 Top Utilized Ranges</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-1h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="topn" searchWhenChanged="true">
      <label>Top N</label>
      <choice value="10">10</choice>
      <choice value="20">20</choice>
      <choice value="50">50</choice>
      <choice value="100">100</choice>
      <choice value="200">200</choice>
      <choice value="250">250</choice>
      <choice value="500">500</choice>
      <choice value="1000">1000</choice>
      <default>50</default>
      <initialValue>50</initialValue>
    </input>
    <input type="multiselect" token="start_address" searchWhenChanged="true">
      <label>IP Range Start Address</label>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>start_address="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <search>
        <query>index=ib_dhcp sourcetype=ib:dhcp:range
                  | eval start_address=split(start_address,";")
                  | stats count by start_address</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>start_address</fieldForLabel>
      <fieldForValue>start_address</fieldForValue>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="multiselect" token="view" searchWhenChanged="true">
      <label>Network View</label>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>view="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <search>
        <query>index=ib_dhcp sourcetype=ib:dhcp:range
                  | eval view=split(view,";")
                  | stats count by view</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>view</fieldForLabel>
      <fieldForValue>view</fieldForValue>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=ib_dhcp sourcetype=ib:dhcp:range 
            $start_address$
            $view$
             | eval dhcp_utilization=round(dhcp_utilization/10,2), range=start_address." - ".end_address, dedup_key=view.start_address.end_address
             | dedup dedup_key 
             | sort -dhcp_utilization, +range 
             | head $topn$
             | rename view as View, range as Range, members as Members, dynamic_hosts as "Dynamic Hosts", static_hosts as "Static Hosts", address_total as "Total Available IPs", dhcp_utilization as "Range Utilization %" 
             | table View Range Members "Dynamic Hosts" "Static Hosts" "Total Available IPs" "Range Utilization %"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="wrap">false</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">off</option>
        <option name="count">50</option>
      </table>
    </panel>
  </row>
</form>

Update: included filters for range start and network view. Removed members filter until I figure out how to fix a Splunk bug that does not allow display of null entries. Screenshot updated.

Re: DHCPv4 Top Utilized Ranges

Adviser
Posts: 97
4291     1

This is pretty cool! I have a question. What is the impact of the time picker? In other words, if I pick for 1 year back, and my lease time is 30 days, how does the lease time impact the report result?

Re: DHCPv4 Top Utilized Ranges

Adviser
Posts: 86
4291     1

That is actually a very good question! Since Splunk works by a series of events generated by NIOS, each event is timestamped. In the case of DHCP this means that statistics related to the consumption of DHCP IP addresses will change over time. The timepicker allows you to view "sliding windows" of time such that if you picked a sliding window of say 1 month beginning 1 year ago (and ending 11 months ago), you will see vastly different stats to say a sliding window of 1 month to today. If you picked a sliding window of 1 year ago until today, it will only report on the latest stats gathered within the last hour. 

 

I believe for DHCP range stats, the system gets an event for every range, every hour. So the granularity of reporting is limited to an hourly basis.

Re: DHCPv4 Top Utilized Ranges

mf266x
Techie
Posts: 5
4291     1

Hi there! Thank you very much for sharing the code below. I´m facing the same issue and would like to ask you 2 quick questions.

1) What are the steps to add this script to the Grid server and make it run? I´m trying to prevent any impact to the production environment as this is the first time we will be "playing around" with the reporting module.

2) Do you have a way to include the SUBNET DESCRIPTION field into your report? I know that when the Client got migrated to Infoblox, they included the Site City on the description, and we truly need that in order to corelate each subnet to a Site.

 

Thanks a lot in advance.

Showing results for 
Search instead for 
Do you mean 

Recommended for You