WireData get count all the TotalBytes in 1 row.

Occasional Contributor

Hi guys

Need some help with query WireData, need to get a total number of TotalBytes in 1 row.

I did something like this but the count is wrong or maybe I'm doing something wrong.

| where TotalBytes > 0
| summarize count() by Computer
And I want to get only 1 answer in 5 min counted, and not all the solutions that the WireData gives me all 30-40 seconds (i can see it in SessionStartTime/SessionEndtime).


2 Replies
Found a solution:

//Find total network inbound outbound total bytes in WINDOWS
| where TimeGenerated < ago(5m)
| summarize sum(TotalBytes) by Computer
//| project Computer , SessionStartTime , SessionEndTime , LocalIP , ReceivedBytes , SentBytes , TotalBytes
| where sum_TotalBytes < 0


//Find total network inbound outbound total bytes in LINUX
| where ObjectName == "Network"
| summarize sum(CounterValue) by Computer
| where sum_CounterValue < 0

Hey Alex,

Your solution makes sense, but will only return you the results from the last 5 minutes.

If you'd like to see that total number per 5 minutes, I'd recommend using 

| summarize sum(TotalBytes) by Computer, bin(TimeGenerated, 5m)

to see it as a chart, you can add '| render timechart' at the end, as shown here.