topic How to monitor proxy uploaded data split by users, greater than say 1GB Splunk for Blue Coat ProxySG? in All Apps and Add-ons

How to monitor proxy uploaded data split by users, greater than say 1GB Splunk for Blue Coat ProxySG?

SGun — Mon, 25 Jun 2018 12:03:31 GMT

Monitoring proxy uploaded data split by users, greater than say 1GB in the last 24hrs and then Alert.

Not sure how to do this.

index="proxy_logs" time="*"  filter_results=OBSERVED protocol="*" url="*"  upload="*" user="*" |

Re: How to monitor proxy uploaded data split by users, greater than say 1GB Splunk for Blue Coat ProxySG?

renjith_nair — Mon, 25 Jun 2018 13:00:16 GMT

Hi @SGun,

Try this,

index="proxy_logs"  <rest of your search> | stats sum(your data size  field/1073741824 ) as total_gb by user | where total_gb > "your threshold value"

Please provide your field name of data size and also unit if the above does not work

Re: How to monitor proxy uploaded data split by users, greater than say 1GB Splunk for Blue Coat ProxySG?

SGun — Mon, 25 Jun 2018 13:41:10 GMT

| stats sum(upload) as total by userID | where total > 10000000

Works great.

So if I wanted to add this output to a table, with other information such as date, time, user, url, upload?

Re: How to monitor proxy uploaded data split by users, greater than say 1GB Splunk for Blue Coat ProxySG?

SGun — Mon, 25 Jun 2018 13:42:12 GMT

| stats sum(upload) as total by user | where total > 10000000

Works great.

So if I wanted to add this output to a table, with other information such as date, time, user, url, upload?

Re: How to monitor proxy uploaded data split by users, greater than say 1GB Splunk for Blue Coat ProxySG?

renjith_nair — Mon, 25 Jun 2018 13:53:18 GMT

If you would like to split by other fields , then you can add them to the by clause e.g. | stats sum(upload) as total by user,upload . However its not an aggregation over user but all other fields in by clause

Re: How to monitor proxy uploaded data split by users, greater than say 1GB Splunk for Blue Coat ProxySG?

renjith_nair — Tue, 26 Jun 2018 02:07:19 GMT

If you would like to split by other fields , then you can add them to the by clause e.g. | stats sum(upload) as total by user,upload . However its not an aggregation over user but all other fields in by clause

Re: How to monitor proxy uploaded data split by users, greater than say 1GB Splunk for Blue Coat ProxySG?

SGun — Tue, 29 Sep 2020 20:11:47 GMT

index="proxy_logs" filter_results=OBSERVED | stats sum(upload) as total by date,time,userID,url | where total > 10000000

Thanks again for your help.

Re: How to monitor proxy uploaded data split by users, greater than say 1GB Splunk for Blue Coat ProxySG?

SGun — Tue, 26 Jun 2018 09:30:49 GMT

I also need to figure out how to aggregate the data or just show the highest upload by the user

Re: How to monitor proxy uploaded data split by users, greater than say 1GB Splunk for Blue Coat ProxySG?

SGun — Tue, 29 Sep 2020 20:11:55 GMT

index="proxy_logs" filter_results=OBSERVED | eval MB=upload/(1024*1024) | stats sum(upload) as total by date,userID,url,MB upload | where total > 10000000

does the conversion to MB - still need to aggregate the user upload