Forum Discussion

Alex Kobin's avatar
Alex Kobin
Copper Contributor
Jul 25, 2018

WireData get count all the TotalBytes in 1 row.

Hi guys

Need some help with query WireData, need to get a total number of TotalBytes in 1 row.

I did something like this but the count is wrong or maybe I'm doing something wrong.

 
WireData
| where TotalBytes > 0
| summarize count() by Computer
 
And I want to get only 1 answer in 5 min counted, and not all the solutions that the WireData gives me all 30-40 seconds (i can see it in SessionStartTime/SessionEndtime).
 
Thanks.
 

 

  • Hey Alex,

    Your solution makes sense, but will only return you the results from the last 5 minutes.

    If you'd like to see that total number per 5 minutes, I'd recommend using 

    WireData
    | summarize sum(TotalBytes) by Computer, bin(TimeGenerated, 5m)

    to see it as a chart, you can add '| render timechart' at the end, as shown here.

  • Alex Kobin's avatar
    Alex Kobin
    Copper Contributor
    Found a solution:

    //Find total network inbound outbound total bytes in WINDOWS
    WireData
    | where TimeGenerated < ago(5m)
    | summarize sum(TotalBytes) by Computer
    //| project Computer , SessionStartTime , SessionEndTime , LocalIP , ReceivedBytes , SentBytes , TotalBytes
    | where sum_TotalBytes < 0

    ----------------------------------------------------------------------------------------

    //Find total network inbound outbound total bytes in LINUX
    Perf
    | where ObjectName == "Network"
    | summarize sum(CounterValue) by Computer
    | where sum_CounterValue < 0

Resources