I'm trying to summarize the amount of data used by an application, host, etc. over a given period of time.
I'm sysloggging to Splunk and seeing the following problem: long running sessions are logged every 2 minutes with the cumulative amount of data (bytes sent/received/total) up to that point.
So... for example an session that lasted an hour would have 30+ syslog messages. Now say the total data in the last syslog show 8MB sent, 2MB received, and a total of 10MB. The syslog before might be 7.5MB sent, 1.9MB received, and a total of 9.5MB. A simple search utilizing SUM produces a result that is like 200MB for the 10MB session (because the last syslog message when the session terminated has the complete data for the session)
I tried to filter based on action (action != accept), but the results are like 1/3 of the actual bandwidth so that doesn't really work.
Tried the splunk fortigate app and the data model appears to have the same problem I'm describing (but maybe I'm wrong).
Anyway, hoping someone else has already solved this.