Hi Keamas, aggregating or summing up different fields is currently not possible with Graylog.
Cheers, Jochen On Thursday, 7 July 2016 16:00:21 UTC+2, Keamas M wrote: > > Hey, > if I have multiple logs like this: > > type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.102|srcPort=54610|srcMAC=00:00:00:00:00:00|dstIP=104.96.151.235|dstPort=80|dstService=|dstIF=port7.910|rule=|info=Normal > > Operation|srcNAT=80.120.142.196|dstNAT=104.96.151.235|duration=0|count=1|receivedBytes=12|sentBytes=51|receivedPackets=125|sentPackets=12|user=n600724|protocol=HTTP > > direct|application=Web browsing|target=www.microsoft.com > |content=|urlcat=Computing/Technology > > I would like to know which User is creating the most traffic. > For example I would like to see a Graph of: receivedBytes + sentByte for > HTTP and HTTPS Traffic for each user. > > Is this Possible with Graylog? > > In Splunk it lookes like this: > > index=main (dstPort=80 OR dstPort=443) | eval > totalbytes=receivedBytes+sentBytes | stats sum(totalbytes) as total by user > | sort -total | head 10 | top total by user showcount=false showperc=false > > In Graylog I tried to search: > > gl2_source_input:577e4cd717fd300404e5d7c8 AND (DST-PORT:80 OR DST-PORT:443) > > I added to Field Statistics RECEIVED-BYTES, SENT-BYTES and USER > > Field Statistics > Field Total Mean Minimum Maximum Std. deviation > Variance Sum Cardinality > RECEIVED-BYTES 155,805 NaN NaN NaN NaN NaN NaN > 7,067 > SENT-BYTES 155,739 NaN NaN NaN NaN NaN NaN 5,667 > USER 49,031 NaN NaN NaN NaN NaN NaN 113 > > But I am stucked here. Can anyone help me with this? > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/bba6b5aa-c3ea-4e96-bc45-818a7a17f76f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
