Hi, I have a search that shows the output of traffic as sum(sentbyte)
This is my search, names have been changed to protect the guilty:
________________________________________________
index=netfw host="firewall"
srcname IN (host1,host2,host3...)
action=allowed dstip=8.8.8.8
| eval mytime=strftime(_time,"%Y/%m/%d %H %M")
| stats sum(sentbyte) by mytime
________________________________________________
The results show the peak per minute, which I can graph with a line chart, and they range up to 10,000,000.
I have tried to set up the alerting when the sum(sentbyte) is over 5,000,000 but cannot get it to trigger.
My alert is set to custom:
| stats sum(sentbyte) by mytime > 5000000
I me be on the wrong track for what I am trying to do but have spent many hours going in circles with this one. Any help is greatly appreciated
... View more