I want to custom query which i want to run on the events but i want to run this query on some fields like bytes_received or bytes sent. Mcafee web gateway default parser was not giving this information after parsing the log, i have made a advance parser rule associated with mcafee web gateway which is working perfectly fine with information now available in bytes_received or bytes_sent from the log messages and is properly showing in event details - custom fields tab.
I want to build a report where i can see which user has utilized the most bandwidth based on that, report will show user and sum(bytes_received). Any help will be appreciated.
I would like to know the answer as well.