Network Traffic by Protocol

Analyze network traffic patterns by protocol to identify unusual data transfers or potential security risks.

Visualization: the pie chart shows proportional distribution of protocols by bandwidth consumption, making unusual traffic patterns immediately visible to security operations teams.

Pie Chart showing a use case of Network Traffic by Protocol

Figure 227. Network Traffic by Protocol


Sample input data:

bytesprotocolsrc_iptimestamp
15000HTTPS192.168.1.1002025-08-11T00:01:23Z
8000HTTP192.168.1.1012025-08-11T00:01:24Z
12000SMB192.168.1.1022025-08-11T00:01:25Z
20000HTTPS192.168.1.1032025-08-11T00:01:26Z
500DNS192.168.1.1042025-08-11T00:01:27Z

Query:

logscale
protocol=* 
| groupBy(protocol, function=sum(bytes)) 
| sort(_sum, order=desc)

The query analyses network traffic distribution across protocols, identifying which protocols consume the most bandwidth.

This query is useful, for example, to identify protocols consuming excessive bandwidth, detect unusual protocol usage patterns, or monitor network traffic composition for security analysis.

Query breakdown:

  1. Filter events to include only those where the protocol field exists and has a value – that is, the wildcard * matches any non-empty value.

  2. Group the data by the protocol field and calculates the aggregate sum of bytes for each protocol. The result is stored in a default field named _sum, which contains the total data transferred for each protocol type.

  3. Sort the results based on the _sum field in descending order (order=desc), showing protocols with highest bandwidth consumption first.

Configuration:

  1. From the Search page, type your query in the Query Editor → click Run

  2. Choose Pie Chart in the Widget selector

  3. Click the style icon : this opens the Format panel on the side where some properties are already configured by default based on the query result.

  4. Modify the properties to obtain the look and feel of this example widget, as follows:

  5. Adjust Max category count: this will allow you to limit the number of slices in the pie chart, with the smaller slices grouped into one category named "Others" (the big green slice in Figure 227, “Network Traffic by Protocol”).

  6. Toggle Legend on. If there is only one item in the chart, the legend does not show.

  7. Set the position of the legend to Bottom

  8. Select Show title to display the legend title, then assign the name "Protocol" to the legend title and adjust its size to Large

  9. Keep Value format as Metric to ensure a metric, human-readable format display of the values in the chart, for example 2,828,299 raw bytes will show as 2.8M.

  10. Change the inherited Colors palette to one of the available custom palettes.

You can further customize this widget by setting more properties, see Pie Chart Property Reference.