Splunk Reporting ZEN(Total)Bytes Fields

This may be a long shot but wondering if anyone has any experience reporting off the ZEN(Total)Bytes fields in LSS User Activity. We have on-prem zpa connectors and AWS connectors. Like a lot of organizations, we’re trying to route AWS hosted applications thru our AWS connectors so we can route traffic off our internal datacenters. We’d like to start reporting on this progress (in terms of data moved) and wondering if anyone has any recommendations how to tackle this. Seems like we’d have to add up Bytes from each event over a specific timeframe and run it on a regular schedule.

And anyone know what the “0” byte records represent? My guess is they are closed connections… Any feedback would be helpful! Thanks