I am trying to write a query to calculate the amount of bytes  received and sent per day from one of our firewalls at our site to a firewall at another site. This is to create a series of daily metrics for management. I've come up with a query that succeeds most of the time. Current query:   index=syslogindex device=firewall vpn=site1-to-site2 | bin span=1d _time | stats range(rcvdbyte) as rcvdbyte range(sentbyte) as sentbyte by _time   However, this query fails on days when the vpn tunnel is reset.  The rcvdbyte and sentbyte fields that come from the firewall are summed values from the moment the VPN tunnel is started. When the tunnel is reset, it creates a new tunnelid and resets the rcvdbyte, sentbyte, and duration counts to zero. And the current query I am using calculates a massive spike for those days since the range of the rcvdbyte field is now zero minus whatever the previous summed amount of the rcvdbyte field was. There are a few ways I can think of changing the query to account for when the tunnel is reset. One of my ideas is to track tunnelid over time while still calculating daily rcvdbyte and sentbyte ranges. Another is to somehow track when rcvdbyte or sentbyte or even duration get reset to zero and do a different calculation for that day. Another solution is to just disregard the days when it is reset. However, I haven't been able to implement any of the solutions I have thought of. Does anyone have any different ideas or know how I can implement one of my ideas? An example event:   date=2021-06-01 time=23:50:43 device=firewall serialid=1234567891 loggingid=123456789 type=event subtype=vpn loggingdesc="tunnel statistics" loggingmsg="tunnel statistics" action=tunnel-stats remoteip=192.168.1.2 localip=192.168.2.2 remoteport=60000 localport=60000 vpn="site1-to-site2" tunnelid=1234567891 tunneltype="vpn" duration=10170 sentbyte=120 rcvdbyte=360     ... View more