Hey! Right now I have a search - source="tcp:6555"| search Message_Type =IP | stats sum(Bytes) AS Bytes by IP | sort -Bytes | head 10 | eval Bytes = case(Bytes/pow(1024,1) <1024, tostring(round(tonumber(Bytes)/pow(1024,1),2))."K", Bytes/pow(1024,2) <1024, tostring(round(tonumber(Bytes)/pow(1024,2),2))."M", Bytes/pow(1024,3) <1000, tostring(round(tonumber(Bytes)/pow(1024,3),2))."G", true(), Bytes) Which gives me 192.168.abc.abc 1.23M 173.241.abc.abc 436.03K 40.118.acb.abc 422.66K 192.168.abc.abc 255.59K 50.19.abc.abc 83.63K .... till 10 unique values for IPs. What I want to do now is a separate column that states if the IP has posted an event in the past 10 minutes. I had something like this in mind source="tcp:6565"| search Message_Type =IP | stats sum(Bytes) AS Bytes by IP | sort -Bytes | head 10 | eval Bytes = case(Bytes/pow(1024,1) <1024, tostring(round(tonumber(Bytes)/pow(1024,1),2))."K", Bytes/pow(1024,2) <1024, tostring(round(tonumber(Bytes)/pow(1024,2),2))."M", Bytes/pow(1024,3) <1000, tostring(round(tonumber(Bytes)/pow(1024,3),2))."G", true(), Bytes) | eval tnow = now()-_time | eval Status = case(tnow <=300, "Up", tnow>300, "Down") I kind of understand why this doesnt work but how can I make it work? Thanks! ... View more

My data has a IP field and a number of bytes used by that field. I send data every 5 mins and most of the IPs remain same for top 10 consuming ones. For query - source="tcp:6565"| top IP by Bytes | sort -Bytes | fields IP Bytes | head 10 , my data is (IP Bytes) 192.168.abc.abc 18670106 192.168.abc.abc 17764375 193.235.51.112 17241178 192.168.abc.abc 7814809 193.235.51.112 4436527 ... ... ... Now this was for lsast 60 mins, and I have repeating IPs How can I sum the values so that it shows me the cumulative usage of the IP according to the time range? Thanks! ... View more