https://live.paloaltonetworks.com/t5/general-topics/determine-count-of-devices-sending-data-from-a-zone-in-panorama/m-p/1221105#M123341 <P>Thanks - I've effectively been doing option 1 but there's so much data that each export only contains a small timeframe and the max export record count is limited.&nbsp; &nbsp;Unfortunately the SQL option isn't available, but I'll have a look at the CLI option and see if that helps.</P> Thu, 20 Feb 2025 10:06:09 GMT talford 2025-02-20T10:06:09Z https://live.paloaltonetworks.com/t5/general-topics/determine-count-of-devices-sending-data-from-a-zone-in-panorama/m-p/1221096#M123337 <P>Hi,</P> <P>I've been asked to provide a count of all IP addresses sending data from a specific zone over a period of weeks from Panorama\NGFW logs, but exporting data from the logs into Excel and removing duplicate IP's is proving impractical due to the amount of data.</P> <P>Is there a way to create a log query to do something like a SQL DISTINCT query, or is there some other way to get this information?</P> <P>Thanks in advance</P> Thu, 20 Feb 2025 08:47:15 GMT https://live.paloaltonetworks.com/t5/general-topics/determine-count-of-devices-sending-data-from-a-zone-in-panorama/m-p/1221096#M123337 talford 2025-02-20T08:47:15Z https://live.paloaltonetworks.com/t5/general-topics/determine-count-of-devices-sending-data-from-a-zone-in-panorama/m-p/1221103#M123340 <P>There are multiple way to do it<BR /><BR /></P> <P>1.&nbsp;Using Log Filters in the Web UI (Quick Check)<BR />If you just need a rough count:</P> <P>Go to Monitor → Logs → Traffic.<BR />Use the Query Builder to filter for:<BR />Edit<BR />( zone.src eq &lt;your_zone&gt; )<BR />Export results to CSV (if necessary), then use a tool like PowerShell or Python to extract unique IPs<BR /><BR />2. If you have imported the firewall logs into an SQL database (e.g., <STRONG data-start="67" data-end="110">Microsoft SQL Server, MySQL, PostgreSQL</STRONG>), you can use a <STRONG data-start="127" data-end="140">SQL query</STRONG> to get the count of unique IPs<BR /><BR /><SPAN class="hljs-keyword">SELECT</SPAN> <SPAN class="hljs-built_in">COUNT</SPAN>(<SPAN class="hljs-keyword">DISTINCT</SPAN> `Source Address`) <SPAN class="hljs-keyword">AS</SPAN> Unique_IP_Count <SPAN class="hljs-keyword">FROM</SPAN> firewall_logs <BR /><SPAN class="hljs-keyword">WHERE</SPAN> `Zone` <SPAN class="hljs-operator">=</SPAN> <SPAN class="hljs-string">'&lt;your_zone&gt;'</SPAN> <SPAN class="hljs-keyword">AND</SPAN> `<SPAN class="hljs-type">Timestamp</SPAN>` <SPAN class="hljs-keyword">BETWEEN</SPAN> <SPAN class="hljs-string">'2024-02-01'</SPAN> <SPAN class="hljs-keyword">AND</SPAN> <SPAN class="hljs-string">'2024-02-20'</SPAN>;<BR />example:&nbsp;<BR /><SPAN class="hljs-keyword">SELECT</SPAN> <SPAN class="hljs-built_in">COUNT</SPAN>(<SPAN class="hljs-keyword">DISTINCT</SPAN> [Source Address]) <SPAN class="hljs-keyword">AS</SPAN> Unique_IP_Count <SPAN class="hljs-keyword">FROM</SPAN> firewall_logs<BR /><SPAN class="hljs-keyword">WHERE</SPAN> [Zone] <SPAN class="hljs-operator">=</SPAN> <SPAN class="hljs-string">'trust'</SPAN> <SPAN class="hljs-keyword">AND</SPAN> [<SPAN class="hljs-type">Timestamp</SPAN>] <SPAN class="hljs-keyword">BETWEEN</SPAN> <SPAN class="hljs-string">'2024-02-01'</SPAN> <SPAN class="hljs-keyword">AND</SPAN> <SPAN class="hljs-string">'2024-02-20';</SPAN><BR /><BR /><BR /></P> <P><SPAN class="hljs-string">or last using CLI&nbsp;<SPAN class="hljs-meta prompt_">&gt; </SPAN><SPAN class="language-bash">show <SPAN class="hljs-built_in">log</SPAN> traffic query "( zone.src eq &lt;your_zone&gt; )" direction equal forward <SPAN class="hljs-built_in">limit</SPAN> 100000 | match <SPAN class="hljs-built_in">source</SPAN></SPAN><BR /><BR /><BR /></SPAN></P> Thu, 20 Feb 2025 09:58:00 GMT https://live.paloaltonetworks.com/t5/general-topics/determine-count-of-devices-sending-data-from-a-zone-in-panorama/m-p/1221103#M123340 Mudhireddy 2025-02-20T09:58:00Z https://live.paloaltonetworks.com/t5/general-topics/determine-count-of-devices-sending-data-from-a-zone-in-panorama/m-p/1221105#M123341 <P>Thanks - I've effectively been doing option 1 but there's so much data that each export only contains a small timeframe and the max export record count is limited.&nbsp; &nbsp;Unfortunately the SQL option isn't available, but I'll have a look at the CLI option and see if that helps.</P> Thu, 20 Feb 2025 10:06:09 GMT https://live.paloaltonetworks.com/t5/general-topics/determine-count-of-devices-sending-data-from-a-zone-in-panorama/m-p/1221105#M123341 talford 2025-02-20T10:06:09Z