Combine two different aggregation results into one

shi · June 14, 2022, 11:25am

We have traffic logs from and to WAN. We need to

We need to add/aggregate the sentbytes when the source interface is WAN.
We need to add/aggregate the receivedbytes when the destination interface is WAN.
We need to find the sum of above two aggregations.

How to do this?
E.g.

@timestamp	               action utmaction	       srcip	  srccountry	srcintf	srcport	     dstip	    dstcountry	   dstintf	dstport	service	sentbyte	rcvdbyte

Jun 14, 2022 @ 16:37:11.866	close	-	     164.xxx.xxx.xxx	India	    WAN	     48012	210.xxx.xxx.xxx	India	        LAN	     443	 HTTPS	 879	    2890

Jun 14, 2022 @ 16:37:11.746	close	-	     10.xxx.xxx.xxx	    Reserved	LAN	     53316	164.xxx.xxx.xxx	India	        WAN	     443	 HTTPS	 2010	    1549

Jun 14, 2022 @ 16:37:05.925	close	-	     172.xxx.xxx.xxx	Reserved	LAN	     34674	104.16.219.84	United States   WAN	     443	 HTTPS	 1212	    4088

1: 879
2: 1549+4088 = 5637
3: Here the answer should be 879+5637 = 6516

We could do Step 1 and 2 independently. How can we combine the results of these aggregations together as required in step 3 (sum)

Thanks and Regards
Shi

Stratoula_Kalafateli · June 14, 2022, 11:44am

You could use Lens formula and do something like this

average(bytes, kql='geo.dest : "AM"') + average(bytes, kql='geo.dest : "AO"')

where in average you can add the aggregation you want

Here is a metric visualization with a formula in Lens

shi · June 16, 2022, 6:00pm

thanks a lot
it worked
thanks and regards
shini

system · July 14, 2022, 6:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.