index=_internal source=*metrics.log group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | rename connectionType as Type  | search Type!=cooked | rename version AS "Version", sourceIp AS "Source IP", sourceHost AS "Host", destPort AS "Port" | fields Type, "Source IP", Host, Port, kb, tcp_eps, tcp_Kprocessed, tcp_KBps, splunk_server, Version | eval Hour=relative_time(_time,"@h")  | stats  avg(tcp_KBps) sum(tcp_Kprocessed), BY Host, Type, "Source IP", Port, Version