Hello,
I am trying to calculate the browse time and bandwith usage of users by looking at the log files of the firewall. As far as i can understand the best way to this is to use transaction command. However, to make the transaction command more efficient, i tried to use it with tstats (which may be completely wrong). my assumption is that if there is more than one log for a source IP to a destination IP for the same time value, it is for the same session.
Here is my query:
| tstats sum(datamodel.mbyte) as mbyte from datamodel=datamodel by _time source destination
| transaction source destination maxpause=1m
My questions are:
Thanks in advance
I wonder if you might misunderstand the transaction command. It merges multiple events based on shared elements. The tstats command with a by clause does a similar thing so you probably don't need both commands. Have you tried tstats by itself to see if it produces the desired results?
Well i may be wrong about transaction, but let me clarify what i need by giving examples. Lets say that i have data as follows:
Event ID | Time | Source | Destination |
1 | 08:00:00 | S1 | D1 |
2 | 08:00:45 | S1 | D1 |
3 | 08:01:30 | S1 | D1 |
4 | 08:02:31 | S1 | D1 |
By using transaction i want to group Event ID 1, 2 and 3. Because, the time difference between consecutive events are less than 1min. Here is my desired output:
Transaction ID | Source | Destination | Duration | |
1 | S1 | D1 | 90 | |
2 | S1 | D1 | 0 |
Shouldn't transaction command do that? Am i missing something?