I did this search by my self
index=_internal source=metrics.log "group=tcpin_connections" host=ip-10-0-163 | eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename version as Ver
| fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver
| eval Indexer= splunk_server
| eval Date=strftime(_time,"%d-%m-%Y %H:%M:%S")
| search connectType="heavy fwder"
| sort - _time
| streamstats count, range(_time) as duration min(_time) as min_time, max(_time) as max_time sum(tcp_Kprocessed) as kb_processed, sum(tcp_eps) as tcp_eps by sourceIp destPort Indexer
| eval mb_processed=kb_processed/1024
| eventstats min(mb_processed) as min_mb avg(mb_processed) as avg_mb max(mb_processed) as max_mb
| table count sourceIp, Indexer ,duration, tcp_eps mb_processed destPort min_mb max_mb avg_mb
... View more