https://community.dynatrace.com/t5/DQL/DQLQuery-for-calculating-totalbytes-sent-received-by-portfolios/m-p/233640#M506 <P>Hi&nbsp;<a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/69601">@ramsundar</a>&nbsp;,</P><P>I hope i can answer your question you should be able to us the "by:" keyword in the summarize if we start off with this data:</P><P>data record( sentbyte = 10 , receivedbyte = 20 , subnet = "Retail") ,<BR />record( sentbyte = 10 , receivedbyte = 20 , subnet = "Retail"),<BR />record( sentbyte = 10 , receivedbyte = 20 , subnet = "Retail"),<BR />record( sentbyte = 10 , receivedbyte = 20 , subnet = "HR")</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LukeHearth_1-1704733093690.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/16668i3E6D2178D8661BF7/image-size/medium?v=v2&amp;px=400" role="button" title="LukeHearth_1-1704733093690.png" alt="LukeHearth_1-1704733093690.png" /></span></P><P>&nbsp;</P><P>We can then use this line to add up the bytes to get the sum:</P><P>| summarize total = sum(receivedbyte + sentbyte) , by:subnet</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LukeHearth_0-1704733050222.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/16667i250236ABE7983AE4/image-size/medium?v=v2&amp;px=400" role="button" title="LukeHearth_0-1704733050222.png" alt="LukeHearth_0-1704733050222.png" /></span></P><P>&nbsp;</P><P>Let me know if this helps.</P><P>Yours,</P><P>Luke Hearth</P> Mon, 08 Jan 2024 16:58:41 GMT LukeHearth 2024-01-08T16:58:41Z https://community.dynatrace.com/t5/DQL/DQLQuery-for-calculating-totalbytes-sent-received-by-portfolios/m-p/231458#M417 <P>We are forwarding Firewall traffic logs to dynatrace , and we split into columns like srcip , dstip , port , sentbyte &amp; received byte.&nbsp;</P><P>&nbsp;</P><P>Now i need calculate totalbytes by adding sent &amp; received byte , which should group based on the subnets&nbsp;<BR />each subnet is specific to unique team .&nbsp;<BR />Example :<BR />&nbsp;Retail - 100GB<BR />&nbsp;Infra - 100 GB<BR />&nbsp;HR&nbsp; &nbsp;- 100GB</P><P>&nbsp;The query im using is bleow<BR />fetch logs ,from:now() - 24h //, scanLimitGBytes: 500, samplingRatio: 1000<BR />| filter matchesPhrase(host, "SDW-") AND ( toIp(srcip)==ipMask("10.0.0.0",24) OR toIP(dstip)==ipMask("10.0.0.0",24) )<BR />| summarize Totalbytes = sum(toDouble(sentbyte)+toDouble(rcvdbyte))<BR /><BR />how case function in DQL ?&nbsp;</P> Mon, 11 Dec 2023 13:23:06 GMT https://community.dynatrace.com/t5/DQL/DQLQuery-for-calculating-totalbytes-sent-received-by-portfolios/m-p/231458#M417 ramsundar 2023-12-11T13:23:06Z https://community.dynatrace.com/t5/DQL/DQLQuery-for-calculating-totalbytes-sent-received-by-portfolios/m-p/233640#M506 <P>Hi&nbsp;<a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/69601">@ramsundar</a>&nbsp;,</P><P>I hope i can answer your question you should be able to us the "by:" keyword in the summarize if we start off with this data:</P><P>data record( sentbyte = 10 , receivedbyte = 20 , subnet = "Retail") ,<BR />record( sentbyte = 10 , receivedbyte = 20 , subnet = "Retail"),<BR />record( sentbyte = 10 , receivedbyte = 20 , subnet = "Retail"),<BR />record( sentbyte = 10 , receivedbyte = 20 , subnet = "HR")</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LukeHearth_1-1704733093690.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/16668i3E6D2178D8661BF7/image-size/medium?v=v2&amp;px=400" role="button" title="LukeHearth_1-1704733093690.png" alt="LukeHearth_1-1704733093690.png" /></span></P><P>&nbsp;</P><P>We can then use this line to add up the bytes to get the sum:</P><P>| summarize total = sum(receivedbyte + sentbyte) , by:subnet</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LukeHearth_0-1704733050222.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/16667i250236ABE7983AE4/image-size/medium?v=v2&amp;px=400" role="button" title="LukeHearth_0-1704733050222.png" alt="LukeHearth_0-1704733050222.png" /></span></P><P>&nbsp;</P><P>Let me know if this helps.</P><P>Yours,</P><P>Luke Hearth</P> Mon, 08 Jan 2024 16:58:41 GMT https://community.dynatrace.com/t5/DQL/DQLQuery-for-calculating-totalbytes-sent-received-by-portfolios/m-p/233640#M506 LukeHearth 2024-01-08T16:58:41Z https://community.dynatrace.com/t5/DQL/DQLQuery-for-calculating-totalbytes-sent-received-by-portfolios/m-p/233954#M531 <P>1. Case function can be realized as a combination of of <STRONG><EM>coalesce</EM> </STRONG>and <EM><STRONG>if</STRONG> </EM>functions</P><P>2. Matching IP addresses to networks can be simplified using <STRONG><EM>ipIn</EM> </STRONG>function (<A href="https://docs.dynatrace.com/docs/platform/grail/dynatrace-query-language/functions/network-functions#ipIn" target="_blank">https://docs.dynatrace.com/docs/platform/grail/dynatrace-query-language/functions/network-functions#ipIn</A>)<BR />3. and <EM><STRONG>summarize</STRONG> </EM>command mentioned by Luke is the final ingredient to produce few values out of many log records&nbsp;<BR />Using my private, but similar data this could look like:</P><LI-CODE lang="markup">fetch logs | fieldsAdd team = coalesce( if (ipIn(srcaddr, "10.176.1.0/24"), "Retail"), if (ipIn(srcaddr, "10.176.2.0/24"), "Infra"), if (ipIn(srcaddr, "10.176.3.0/24"), "HR"), "Other" ) | summarize {totalbytes=sum(toLong(bytes))}, by: { team }</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="krzysztof_hoja_1-1704917298573.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/16733i1F9204256A7EA1BE/image-size/medium?v=v2&amp;px=400" role="button" title="krzysztof_hoja_1-1704917298573.png" alt="krzysztof_hoja_1-1704917298573.png" /></span></P><P>Kris</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 10 Jan 2024 20:09:17 GMT https://community.dynatrace.com/t5/DQL/DQLQuery-for-calculating-totalbytes-sent-received-by-portfolios/m-p/233954#M531 krzysztof_hoja 2024-01-10T20:09:17Z