Hi sir:
sourcetype=xxx |eval bandwidth=rcvdbyte+sentbyte |eval bandwidth(MB) = round(bandwidth/1024/1024,2) |table srcip,dstip,...,bandwidth(MB)|sort bandwidth(MB) desc
now:
srcip dstip ..... bandwidth(MB)
1.1.1.1 2.2.2.2 .... 100
1.1.1.1 2.2.2.2 .... 200
1.1.1.2 2.2.2.2 .... 200
I hope :
srcip dstip ..... bandwidth(MB)
1.1.1.1 2.2.2.2 .... 300
1.1.1.2 2.2.2.2 .... 200
what can i do?
I'm try it, is working fine.
sourcetype=xxx srcip | eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | stats list(dstip) as dstip , values(hostname) as hostname ,values(app) as app,sum(bandwidth(MB)) as bandwidth(MB) by srcip | sort bandwidth(MB) desc
I'm try it, is working fine.
sourcetype=xxx srcip | eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | stats list(dstip) as dstip , values(hostname) as hostname ,values(app) as app,sum(bandwidth(MB)) as bandwidth(MB) by srcip | sort bandwidth(MB) desc
Thank you~
Try this
sourcetype=xxx |eval bandwidth=rcvdbyte+sentbyte |eval bandwidth(MB) = round(bandwidth/1024/1024,2) |stats sum(bandwidth(MB)) as bandwidth(MB) by srcip,dstip,...| sort bandwidth(MB) desc
Hi chengyu,
try this:
sourcetype=xxx | eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | stats values(bandwidth(MB)) AS bandwidth by srcip,dstip,...,bandwidth(MB) | sort bandwidth desc
cheers, MuS