Hello, I am trying to calculate the browse time and bandwith usage of users by looking at the log files of the firewall. As far as i can understand the best way to this is to use transaction command. However, to make the transaction command more efficient, i tried to use it with tstats (which may be completely wrong). my assumption is that if there is more than one log for a source IP to a destination IP for the same time value, it is for the same session. Here is my query: | tstats sum(datamodel.mbyte) as mbyte from datamodel=datamodel by _time source destination
| transaction source destination maxpause=1m My questions are: is there a more efficient way to calculate these values? Max duration value for my query is always equals to maxpause value. Shouldn't be values greater than maxpause. Thanks in advance
... View more