Here's the search:
index=proxysg sourcetype=proxysg | replace \*pandora* with www.pandora.com in url | replace \*facebook* with www.facebook.com in url | stats sum(bytes_in) as MB by url | eval MB=round(MB/1024/1024,2) | sort -MB
↧