GROUP BY clause

Examples of GROUP BY clauses

The following query example shows IP addresses that sent more than 1 million bytes within all flows in a specific time.

SELECT sourceIP, SUM(sourceBytes) 
FROM flows where sourceBytes > 1000000 
GROUP BY sourceIP

The results might look similar to the following output.

-----------------------------------
| sourceIP | SUM_sourceBytes |
-----------------------------------
| 192.0.2.0 | 4282590.0 |
| 10.105.2.10 | 4902509.0 |
| 10.103.70.243 | 2802715.0 |
| 10.103.77.143 | 3313370.0 |
| 10.105.32.29 | 2467183.0 |
| 10.105.96.148 | 8325356.0 |
| 10.103.73.206 | 1629768.0 |
-----------------------------------

However, if you compare this information to a non-aggregated query, the output displays all the IP addresses that are unique, as shown in the following output:

------------------------------
| sourceIP | sourceBytes |
------------------------------
| 192.0.2.0 | 1448629 |
| 10.105.2.10 | 2412426 |
| 10.103.70.243 | 1793095 |
| 10.103.77.143 | 1449148 |
| 10.105.32.29 | 1097523 |
| 10.105.96.148 | 4096834 |
| 192.0.2.0 | 2833961 |
| 10.105.2.10 | 2490083 |
| 10.103.73.206 | 1629768 |
| 10.103.70.243 | 1009620 |
| 10.105.32.29 | 1369660 |
| 10.103.77.143 | 1864222 |
| 10.105.96.148 | 4228522 |
------------------------------

To view the maximum number of events, use the following syntax:

SELECT MAX(eventCount) FROM events

SELECT AVG(eventCount), PROTOCOLNAME(protocolid) 
FROM events 
GROUP BY sourceIP

The output displays the following results:

---------------------------------
| sourceIP | protocol |
---------------------------------
| 192.0.2.0 | TCP.tcp.ip |
| 10.105.2.10 | UDP.udp.ip |
| 10.103.70.243 | UDP.udp.ip |
| 10.103.77.143 | UDP.udp.ip |
| 10.105.32.29 | TCP.tcp.ip |
| 10.105.96.148 | TCP.tcp.ip |
| 192.0.2.0 | TCP.tcp.ip |
| 10.105.2.10 | ICMP.icmp.ip |
---------------------------------