I have this search that is almost what I am looking for but not quite:
| `pan_tstats` sum(log.bytes_out) AS sumSent sum(log.bytes_in) AS sumReceived FROM `node(log.traffic.end)` log.user="*" groupby _time span=5m, log.src_ip, log.dest_ip | timechart span=5m values("sumReceived") AS "Bytes Received" values("sumSent") AS "Bytes Sent" values(log.src_ip) AS "Source IP" values(log.dest_ip) AS "Dest IP"
The problem is that there are multiple dest_ip values for each src_ip in each 5m time window. What I need is the "Bytes Received" and "Bytes Sent" broken down on a timeline and grouped by IP address, then grouped again by dest_ip since there can be more than one dest_ip for each source in that 5m time window for grouping.
Any help would be greatly appreciated!
Chris
↧