Ive been making some headway on this query, not totally there yet however. I cant seem to get it to return the bytes in / bytes out in the results with the session IDs, its looking at one group of alerts for the username and session, and the subsearch is telling the top search what sessions to look for, but I cant seem to pass the bytes_in/bytes_out over in a way that doesnt mess with the top query.
The basics are this
Multiple sessions from the same user (log has username and session ID)
Second step log entry has no username and shows data is transferred by sessionID bytes_in and bytes_out are used
sourcetype=apm_log index=vpn bytes_in>0 OR user!=n/a
[ search sourcetype=apm_log index=vpn bytes_in>0
| dedup session_id
| fields session_id
| mvexpand session_id
| format]
| stats dc(session_id) as count values(session_id) as SessionID by user
| where count >2
so the problem is I cant seem to get it to add in the bytes_in / bytes out of those sessions it is finding the end result. Any help would be appreciated.
... View more