peterjgrainger/flow-log-parse.txt

## flow-log-parse.txt
fields @timestamp, @message
| parse @message "* * * * * * * * * * * * * *" as version, account_id, interface_id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, log_status
| filter action = "REJECT"
| sort @timestamp desc
| limit 2000
	fields @timestamp, @message
	\| parse @message "* * * * * * * * * * * * * *" as version, account_id, interface_id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, log_status
	\| filter action = "REJECT"
	\| sort @timestamp desc
	\| limit 2000