I am trying to write a search for juniper firewall logs. Where I want to get alert if any user consume bandwidth more than 500 Mb in last one hour. I have desired logs in my Splunk like bytes_in and bytes_out. Kindly suggest.
index=main sourcetype="juniper:junos:firewall" host="10.10.10.1" | stats sum(bytes_out) AS TotalSent, sum(bytes_in) AS TotalRcvd by src
| eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2)
| table src TotalMB
Add the following to the end of your search
| where TotalMB >=500
But it is showing bytes calculation for session wise and hence bandwidth value is very low. I want to do this sum calculation based on client ip address.
Add the following to the end of your search
| where TotalMB >=500