https://community.splunk.com/t5/Splunk-Search/How-to-find-total-byte-count/m-p/122081#M32852 <P>Not sure how I missed this, thank you!</P> Thu, 02 Apr 2015 23:12:28 GMT DEAD_BEEF 2015-04-02T23:12:28Z https://community.splunk.com/t5/Splunk-Search/How-to-find-total-byte-count/m-p/122079#M32850 <P>I am looking through my firewall logs and would like to find the total byte count between a single source and a single destination. There are multiple byte count values over the 2-hour search duration and I would simply like to see a table listing the source, destination, and total byte count.</P> <P>I've tried stats and eventstats but nothing seems to work right.</P> <P>Current query:</P> <PRE><CODE>index=fw_log src_ip=1.2.3.4 dst_ip=5.6.7.8 | eventstats sum(bytes) AS "Total Bytes" by src_ip | table src_ip,dst_ip,"Total Bytes" </CODE></PRE> <P>What I want is:</P> <PRE><CODE> src_ip dst_ip Total Bytes 1.2.3.4 5.6.7.8 94782161 </CODE></PRE> <P>What I'm getting is:</P> <PRE><CODE> src_ip dst_ip Total Bytes 1.2.3.4 5.6.7.8 37473882 1.2.3.4 5.6.7.8 37473882 1.2.3.4 5.6.7.8 37473882 1.2.3.4 5.6.7.8 37473882 </CODE></PRE> Thu, 02 Apr 2015 22:51:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-total-byte-count/m-p/122079#M32850 DEAD_BEEF 2015-04-02T22:51:41Z https://community.splunk.com/t5/Splunk-Search/How-to-find-total-byte-count/m-p/122080#M32851 <PRE><CODE>index=fw_log src_ip=1.2.3.4 dst_ip=5.6.7.8 | stats sum(bytes) AS "Total Bytes" by src_ip dst_ip </CODE></PRE> <P>That will give you the one row. You don't want to use eventstats here, but rather its bigger brother stats. Stats with a "by foo" or "by foo bar", will output one row for every unique combination of the "by" fields. Eventstats however, will output pretty much exactly the same rows that it received from the prior command, except that it will have tacked on a couple extra fields that it computed in various ways. </P> <P>If you want to see all pairs of src_ip and dst_ip, that would be </P> <PRE><CODE>index=fw_log | stats sum(bytes) AS "Total Bytes" by src_ip dst_ip </CODE></PRE> Mon, 28 Sep 2020 19:24:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-total-byte-count/m-p/122080#M32851 sideview 2020-09-28T19:24:45Z https://community.splunk.com/t5/Splunk-Search/How-to-find-total-byte-count/m-p/122081#M32852 <P>Not sure how I missed this, thank you!</P> Thu, 02 Apr 2015 23:12:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-total-byte-count/m-p/122081#M32852 DEAD_BEEF 2015-04-02T23:12:28Z https://community.splunk.com/t5/Splunk-Search/How-to-find-total-byte-count/m-p/122082#M32853 <P>How do you convert the Total Bytes into mb or gb from this search?</P> Mon, 20 Jan 2020 16:04:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-total-byte-count/m-p/122082#M32853 velthias 2020-01-20T16:04:36Z https://community.splunk.com/t5/Splunk-Search/How-to-find-total-byte-count/m-p/122083#M32854 <PRE><CODE>index=fw_log | stats sum(bytes) AS Total_Bytes sum(eval(round(bytes/1024))) AS Total_Bytes_MB sum(eval(round(bytes/1024/1024))) AS "otal_Bytes_GB by src_ip dst_ip </CODE></PRE> <P>OR </P> <PRE><CODE> index=fw_log | stats sum(bytes) AS Total_Bytes by src_ip dst_ip | eval Total_Bytes_MB= round(Total_Bytes/1024) | eval Total_Bytes_GB=round(Total_Bytes/1024/1024) </CODE></PRE> Mon, 20 Jan 2020 17:16:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-total-byte-count/m-p/122083#M32854 to4kawa 2020-01-20T17:16:53Z