Hi Keamas, aggregating or summing up different fields is currently not possible with Graylog.
Cheers, Jochen On Thursday, 7 July 2016 16:00:21 UTC+2, Keamas M wrote: > > Hey, > if I have multiple logs like this: > > type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.102|srcPort=54610|srcMAC=00:00:00:00:00:00|dstIP=104.96.151.235|dstPort=80|dstService=|dstIF=port7.910|rule=|info=Normal > > Operation|srcNAT=80.120.142.196|dstNAT=104.96.151.235|duration=0|count=1|receivedBytes=12|sentBytes=51|receivedPackets=125|sentPackets=12|user=n600724|protocol=HTTP > > direct|application=Web browsing|target=www.microsoft.com > |content=|urlcat=Computing/Technology > > I would like to know which User is creating the most traffic. > For example I would like to see a Graph of: receivedBytes + sentByte for > HTTP and HTTPS Traffic for each user. > > Is this Possible with Graylog? > > In Splunk it lookes like this: > > index=main (dstPort=80 OR dstPort=443) | eval > totalbytes=receivedBytes+sentBytes | stats sum(totalbytes) as total by user > | sort -total | head 10 | top total by user showcount=false showperc=false > > In Graylog I tried to search: > > gl2_source_input:577e4cd717fd300404e5d7c8 AND (DST-PORT:80 OR DST-PORT:443) > > I added to Field Statistics RECEIVED-BYTES, SENT-BYTES and USER > > Field Statistics > Field Total Mean Minimum Maximum Std. deviation > Variance Sum Cardinality > RECEIVED-BYTES 155,805 NaN NaN NaN NaN NaN NaN > 7,067 > SENT-BYTES 155,739 NaN NaN NaN NaN NaN NaN 5,667 > USER 49,031 NaN NaN NaN NaN NaN NaN 113 > > But I am stucked here. Can anyone help me with this? > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/bba6b5aa-c3ea-4e96-bc45-818a7a17f76f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
