Open GoogleCodeExporter opened 8 years ago
GoogleCodeExporter
commented
8 years ago This query should work:
host:<IP of firewall> groupby:hour | sum(conn_bytes)
You can test it manually, and if it looks right, you can add it to a dashboard.
Depending on how busy the firewall is, the query may take awhile. Let me know
if this works for you.Original comment by mchol...@gmail.com on 3 Apr 2013 at 4:18
GoogleCodeExporter
commented
8 years ago I have tried this but did not get any results back. I can do either the groupby
or sum and get result. But not both at the same time
host:192.168.70.1 groupby:hour | sum(conn_bytes)
or
srcip=10.0.133.125 groupby:hour | sum(conn_bytes)
Teardown TCP connection 32690020 for outside:10.0.133.125/80 to
inside:192.168.70.8/64434 duration 0:00:00 bytes 721 TCP FINs
host=192.168.70.1 program=%asa-6-302014 class=FIREWALL_CONNECTION_END proto=TCP
srcip=10.0.133.125 srcport=80 dstip=192.168.70.8 dstport=64434 conn_bytes=721
o_int=outside i_int=inside conn_duration=0:00:00Original comment by jacobrav...@gmail.com on 3 Apr 2013 at 9:48
GoogleCodeExporter
commented
8 years ago Ah, you are right, that won't work. Groupby hour will return a count and the
hour, so there's no conn_bytes to sum. I'll make this a feature request to use
the built-in Sphinx SUM() function instead of COUNT() which is technically
feasible, but I will have to make some changes to how the queries are parsed
and implemented.Original comment by mchol...@gmail.com on 3 Apr 2013 at 2:17
Original issue reported on code.google.com by
jacobrav...@gmail.comon 2 Apr 2013 at 8:44