Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > Appendices > Forensic Report Types > Servers As Dst Address

Servers As Dst Address

Table Query: select dstadd ,srccount,localports,remoteports,sessions,(bytes*8) as bits from (select dstadd as dstadd,count(distinct(srcadd)) as srccount,count(distinct(dstport)) as localports,count(distinct(srcport)) as remoteports,count(*) as sessions,cast(sum((bytes)) as bigint) as bytes from netflow WHERECLAUSE group by dstadd ) as a where a.sessions>5 and a.localports<5 and a.srccount>5 group by dstadd,srccount,sessions,localports,remoteports,bytes ORDERBY LIMITROW
Table Value Field: srccount
Graph Query: select afirstseen ,dstadd ,srccount as srcsavgsec,localports,bits_avgsec from (select FIRSTSEEN as afirstseen,dstadd as dstadd,count(distinct(srcadd)) as srccount,count(distinct(dstport)) as localports,count(distinct(srcport)) as remoteports,count(*) as records,cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,dstadd) as a where a.records>5 and a.localports<5 and a.srccount>5 group by afirstseen,dstadd,srccount,localports,bits_avgsec order by dstadd,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: dstadd