- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to monitor proxy uploaded data split by users,...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitoring proxy uploaded data split by users, greater than say 1GB in the last 24hrs and then Alert.
Not sure how to do this.
index="proxy_logs" time="*" filter_results=OBSERVED protocol="*" url="*" upload="*" user="*" |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @SGun,
Try this,
index="proxy_logs" <rest of your search> | stats sum(your data size field/1073741824 ) as total_gb by user | where total_gb > "your threshold value"
Please provide your field name of data size and also unit if the above does not work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| stats sum(upload) as total by user | where total > 10000000
Works great.
So if I wanted to add this output to a table, with other information such as date, time, user, url, upload?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you would like to split by other fields , then you can add them to the by clause e.g. | stats sum(upload) as total by user,upload . However its not an aggregation over user but all other fields in by clause
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @SGun,
Try this,
index="proxy_logs" <rest of your search> | stats sum(your data size field/1073741824 ) as total_gb by user | where total_gb > "your threshold value"
Please provide your field name of data size and also unit if the above does not work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| stats sum(upload) as total by userID | where total > 10000000
Works great.
So if I wanted to add this output to a table, with other information such as date, time, user, url, upload?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you would like to split by other fields , then you can add them to the by clause e.g. | stats sum(upload) as total by user,upload . However its not an aggregation over user but all other fields in by clause
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="proxy_logs" filter_results=OBSERVED | stats sum(upload) as total by date,time,userID,url | where total > 10000000
Thanks again for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="proxy_logs" filter_results=OBSERVED | eval MB=upload/(1024*1024) | stats sum(upload) as total by date,userID,url,MB upload | where total > 10000000
does the conversion to MB - still need to aggregate the user upload
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also need to figure out how to aggregate the data or just show the highest upload by the user
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
