Hi!
I'm attempting to take an existing query and update it to do the following:
For the last 24 hours, sum and list records where Source IP has total outgoing bytes greater than 5GB. Each record should have User, Source IP, Destination IP, Application, total bytes for that record (App Outgoing Bytes (GB)) and the total for the source IP (Source IP Outgoing Bytes(GB)).
Current Results - single sum
User Source IP Destination IP Application App Outgoing Bytes (GB)
unknown 1.1.1.1 7.7.7.7 WEB 38.51
unknown 2.2.2.2 8.8.8.8 SSL 24.33
Desired Results
User Source IP Destination IP Application App Outgoing Bytes (GB) Source IP Outgoing Bytes(GB)
unknown 1.1.1.1 7.7.7.7 WEB 38.51 43.51
unknown 1.1.1.1 2.2.2.2 WEB 2.50 43.51
unknown 1.1.1.1 3.3.3.3 WEB 2.50 43.51
unknown 2.2.2.2 8.8.8.8 SSL 24.33 24.33
Current query - single sum
stats sum(bytes_out) as BytesOut by User, "Source IP", "Destination IP", "Application"
| eval outgoingBytes = round(BytesOut / (1024 * 1024 * 1024),4)
| search outgoingBytes >= 5
| rename outgoingBytes as "App Outgoing Bytes (GB)"
| sort - "App Outgoing Bytes (GB)"
| fields - BytesOut
Attempted to use eventstats, but that raises an auto-finalize error. Hoping to resolve this without touching limits, if possible.
... View more