Hi Keamas,
aggregating or summing up different fields is currently not possible with
Graylog.
Cheers,
Jochen
On Thursday, 7 July 2016 16:00:21 UTC+2, Keamas M wrote:
>
> Hey,
> if I have multiple logs like this:
>
> type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.102|srcPort=54610|srcMAC=00:00:00:00:00:00|dstIP=104.96.151.235|dstPort=80|dstService=|dstIF=port7.910|rule=|info=Normal
>
> Operation|srcNAT=80.120.142.196|dstNAT=104.96.151.235|duration=0|count=1|receivedBytes=12|sentBytes=51|receivedPackets=125|sentPackets=12|user=n600724|protocol=HTTP
>
> direct|application=Web browsing|target=www.microsoft.com
> |content=|urlcat=Computing/Technology
>
> I would like to know which User is creating the most traffic.
> For example I would like to see a Graph of: receivedBytes + sentByte for
> HTTP and HTTPS Traffic for each user.
>
> Is this Possible with Graylog?
>
> In Splunk it lookes like this:
>
> index=main (dstPort=80 OR dstPort=443) | eval
> totalbytes=receivedBytes+sentBytes | stats sum(totalbytes) as total by user
> | sort -total | head 10 | top total by user showcount=false showperc=false
>
> In Graylog I tried to search:
>
> gl2_source_input:577e4cd717fd300404e5d7c8 AND (DST-PORT:80 OR DST-PORT:443)
>
> I added to Field Statistics RECEIVED-BYTES, SENT-BYTES and USER
>
> Field Statistics
> Field TotalMeanMinimumMaximumStd. deviation
> VarianceSumCardinality
> RECEIVED-BYTES155,805NaNNaNNaNNaNNaNNaN
> 7,067
> SENT-BYTES155,739NaNNaNNaNNaNNaNNaN5,667
> USER49,031NaNNaNNaNNaNNaNNaN113
>
> But I am stucked here. Can anyone help me with this?
>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/bba6b5aa-c3ea-4e96-bc45-818a7a17f76f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.