Hey, if I have multiple logs like this: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.102|srcPort=54610|srcMAC=00:00:00:00:00:00|dstIP=104.96.151.235|dstPort=80|dstService=|dstIF=port7.910|rule=|info=Normal Operation|srcNAT=80.120.142.196|dstNAT=104.96.151.235|duration=0|count=1|receivedBytes=12|sentBytes=51|receivedPackets=125|sentPackets=12|user=n600724|protocol=HTTP direct|application=Web browsing|target=www.microsoft.com|content=|urlcat=Computing/Technology
I would like to know which User is creating the most traffic. For example I would like to see a Graph of: receivedBytes + sentByte for HTTP and HTTPS Traffic for each user. Is this Possible with Graylog? In Splunk it lookes like this: index=main (dstPort=80 OR dstPort=443) | eval totalbytes=receivedBytes+sentBytes | stats sum(totalbytes) as total by user | sort -total | head 10 | top total by user showcount=false showperc=false In Graylog I tried to search: gl2_source_input:577e4cd717fd300404e5d7c8 AND (DST-PORT:80 OR DST-PORT:443) I added to Field Statistics RECEIVED-BYTES, SENT-BYTES and USER Field Statistics Field Total Mean Minimum Maximum Std. deviation Variance Sum Cardinality RECEIVED-BYTES 155,805 NaN NaN NaN NaN NaN NaN 7,067 SENT-BYTES 155,739 NaN NaN NaN NaN NaN NaN 5,667 USER 49,031 NaN NaN NaN NaN NaN NaN 113 But I am stucked here. Can anyone help me with this? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/9c6fa902-1186-421d-a22f-b9cfc682be77%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
