Skip to main content

V1 - Examples - Total Bytes Used

Total Bytes

function totalbytes()
    search {from="-30d<d", to="-20d>d"} sContent("@source","surf-soho-6ccb")
    let sent=f("@fields.bytes_sent"),recvd=f("@fields.bytes_recvd"),session=f("@fields.session_state")
    let sent2=parseInt(sent),recvd2=parseInt(recvd)
    where session=="END"
    aggregate s=sum(sent2+recvd2)
end
stream totalbytes = totalbytes()

The total bytes used is 19347219046 bytes, equal to ~18 GB.

In this case, there are two variables, "@fields.bytes_sent" and "@fields.bytes_recvd", indicate the bytes sent and received, respectively. However, the bytes are stored in a format of string. Then it's necessary to convert them into integers before calculation, using parseInt. The last step is using aggregate (without by) to get the total bytes.

Related FPL command: search;sContent;let;f;parseInt;where;aggregate;stream

Total Bytes per Hour

function totalbytes_per_hour()
    search {from="-30d<d", to="-20d>d"} sContent("@source","surf-soho-6ccb")
    let sent=f("@fields.bytes_sent"),recvd=f("@fields.bytes_recvd"),session=f("@fields.session_state"),timestamp=f("@timestamp")
    let sent2=parseInt(sent),recvd2=parseInt(recvd)
    where session=="END"
    let Hour=strftime("%D:%H:%M",timebucket("1h",timestamp))  
    aggregate s=sum(sent2+recvd2) by Hour
end
stream totalbytes_per_hour = totalbytes_per_hour()

If you want to calculate the total bytes per hour, what you should do first is to divide the timestamp into a interval of 1h using strftime and timebucket("Hour"). Then, compared to the last example, a by is needed in the aggregate command, which means aggregating by "Hour".

Related FPL command: search;sContent;let;f;parseInt;where;strftime;timebucket;aggregate;stream