apologies for all the parenthesis, I was just trying to keep things straight in my head. There's definitely a better way to frame the query. I tried what you suggested with: if(id.resp_h="front end",resp_bytes,0) even simplifying the expression to filter on one ip address at a time gives an error. trying to use it like this index="zeek" source="conn.log"
((id.orig_h IN `front end`) AND NOT (id.resp_h IN `backend`)) OR
((id.resp_h IN `front end`) AND NOT (id.orig_h IN `backend`))
| fields orig_bytes, resp_bytes
| eval terabytes=((if(id.resp_h=192.168.0.1,resp_bytes,0))+(if(id.orig_h=192.168.0.1,orig_bytes,0)))/1024/1024/1024/1024
| stats sum (terabytes) I just get an error back from splunk. Error in EvalCommand: the number 192.168.0.1 is invalid
... View more