Hi @Drewprice, there's some conceptual and a logical errors in your search: at first you have to define a time period for the check, e.g. every 10 minutes, otherwise there's no sense to use _time i...
See more...
Hi @Drewprice, there's some conceptual and a logical errors in your search: at first you have to define a time period for the check, e.g. every 10 minutes, otherwise there's no sense to use _time in your search. the second error is that you don't need to transform the timestamp in human readable. At least, but this is an interpretation of mine, why do you want to calculate the peek? usually it's calculated the amount of sent bytes in a period, and anyway you use the sum function so you don't calculate the peak (for the peak you should use max) So you should try something like this: if you want to trigger an alert if the amount of bytes in one minute is more than , you should run something like this: index=netfw host="firewall" srcname IN (host1,host2,host3...) action=allowed dstip=8.8.8.8
| timechart sum(sentbyte) AS count span=1m
| where count>5000000 or index=netfw host="firewall" srcname IN (host1,host2,host3...) action=allowed dstip=8.8.8.8
| bin span=1m _time
| stats sum(sentbyte) AS count BY _time
| where count>5000000 Ciao. Giuseppe