So Im trying to simply sum together all values of a field I extract within the query. I came up with a working solution, but I think there is an easier way, or at least I hope so.
My working query looks like this atm:
sum(sum_over_time({job="endlessh"} | pattern "<_> <_> <type> host=<ip> port=<port> fd=<fd> time=<time> bytes=<bytes>" | type="CLOSE" | unwrap time[$__range]))
It sums together all the time values.
Thing is, why Im not happy with it, it uses an additional sum_over_time. Is there no other way for me to simply sum together the time? I just want to display the total sum of time in my dashboard for the selected amount of time.
Logs Im working with look like this:
2022-04-03 14:37:25.101991388 2022-04-03T12:37:25.101Z CLOSE host=::ffff:218.92.0.192 port=21590 fd=4 time=20.015 bytes=26
2022-04-03 14:38:07.723962122 2022-04-03T12:38:07.723Z ACCEPT host=::ffff:218.92.0.192 port=64475 fd=4 n=1/4096
They are from a service called endlessh, which is a tar/honeypit for ssh attackers 