Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Reporting

Reply

DHCP Leases per Second

New Member
Posts: 1
4677     0

Hello,

 

I am trying to run a report that shows the DHCP Leases per Second.  The report I ran (for the last 7 days) shows a max of 3000, but the data appears to be in 30 minute increments.  So, when I divide 3000 by 1800 (60 sec x 30 min) to get seconds, it comes out to be < 2 leases per second.  This seems way too low.  Is there a better way to calculate DHCP Leases per Second?  The specific report I ran is DHCP Message Rate Trend, which is the report our Infoblox support person recommended I run.    Any help would be appreciated.

 

Thanks,

Joe

Re: DHCP Leases per Second

[ Edited ]
Moderator
Moderator
Posts: 72
4677     0

Dear Joe,

While I do not know your search string, I guess that you are running your search on dhcp_summary index (index=ib_dhcp_summary) which is a summary index updated every 30th minute from 14 through 59 by si-search-dhcp-message .

 

Please try the below and let me know what you think.

sourcetype=ib:dhcp:message index=ib_dhcp| rex "^[^,]*,(?<PROTO>[46])(,(?<COUNT1>\d+))?(,(?<COUNT2>\d+))?(,(?<COUNT3>\d+))?(,(?<COUNT4>\d+))?(,(?<COUNT5>\d+))?(,(?<COUNT6>\d+))?(,(?<COUNT7>\d+))?(,(?<COUNT8>\d+))?(,(?<COUNT9>\d+))?(,(?<COUNT10>\d+))?(,(?<COUNT11>\d+))?(,(?<COUNT12>\d+))?(,(?<COUNT13>\d+))?(,(?<COUNT14>\d+))?(,(?<COUNT15>\d+))?" | eval Protocol=if(PROTO=="6","IPV6","IPV4") | bucket span=1m _time | stats sum(eval(if(PROTO=="4",COUNT1/60,0))) as v4discover, sum(eval(if(PROTO=="4",COUNT2/60,0))) as v4offer, sum(eval(if(PROTO=="4",COUNT3/60,0))) as v4request, sum(eval(if(PROTO=="4",COUNT5/60,0))) as v4ack by _time   | timechart  bins=1000 avg(v4discover) as DHCPDISCOVER, avg(v4offer) as DHCPOFFER, avg(v4request) as DHCPREQUEST, avg(v4ack) as DHCPACK | interpolate 120


If you are searching data for the past 24 hours, you may want to change the "timechart bins=1000" value to ~10,000 and change it to ~50,000 or more for data as large as past 7 days so that you can get a per minute average.


Best Regards,
Bibin Thomas

Re: DHCP Leases per Second

Techie
Posts: 5
4677     0

Thanks Bibin.

I have a similar use case: Need to understand DHCP leases per second per DHCP member per week.

 

I tried changing the search string as you recommend below.  However I receive an error within Reporting as follows:  ! Note: Unknown command interpolate. Did you mean Correlate?

 

So I changed the interpolate word to correlate and adjusted the timechart bins from 1000 to 50000.

 

However I only see the value os 1 listed for all values?  I must have done something wrong.  Here is the search string I used:

 

sourcetype=ib:dhcp:message index=ib_dhcp| rex "^[^,]*,(?<PROTO>[46])(,(?<COUNT1>\d+))?(,(?<COUNT2>\d+))?(,(?<COUNT3>\d+))?(,(?<COUNT4>\d+))?(,(?<COUNT5>\d+))?(,(?<COUNT6>\d+))?(,(?<COUNT7>\d+))?(,(?<COUNT8>\d+))?(,(?<COUNT9>\d+))?(,(?<COUNT10>\d+))?(,(?<COUNT11>\d+))?(,(?<COUNT12>\d+))?(,(?<COUNT13>\d+))?(,(?<COUNT14>\d+))?(,(?<COUNT15>\d+))?" | eval Protocol=if(PROTO=="6","IPV6","IPV4") | bucket span=1m _time | stats sum(eval(if(PROTO=="4",COUNT1/60,0))) as v4discover, sum(eval(if(PROTO=="4",COUNT2/60,0))) as v4offer, sum(eval(if(PROTO=="4",COUNT3/60,0))) as v4request, sum(eval(if(PROTO=="4",COUNT5/60,0))) as v4ack by _time   | timechart  bins=50000 avg(v4discover) as DHCPDISCOVER, avg(v4offer) as DHCPOFFER, avg(v4request) as DHCPREQUEST, avg(v4ack) as DHCPACK | correlate 120

 

Anything missing or require adjusting?

Reply appreciated.

Re: DHCP Leases per Second

[ Edited ]
Moderator
Moderator
Posts: 72
4677     0

Hi James,

I wish I could've gotten back to you sooner.

"interpolate" in reporting is a custom Infoblox command and has nothing to do with Splunk.

Therefore, It will only work inside the "Infoblox Reporting & Analytics" App. In case you are running your search inside Splunk's "Search & Reporting" App, that error is expected. Please switch apps from the drop-down on the top left.

 

If you are receiving this error inside the "Infoblox Reporting & Analytics" App, there is something wrong with your reporting appliance which needs to be investigated by Infoblox Support. Because, there are multiple predefined reports which make use of the interpolate command and they may either fail completely or throw an error if interpolate is missing.

Example reports which use interpolate:
CPU Utilization Trend
Memory Utilization Trend

By the way, what NIOS version are you on?



Best Regards,

Bibin Thomas

Showing results for 
Search instead for 
Did you mean: 

Recommended for You