topic Search top 4 destinations based on usage by IP and put remaining in others for each IP in Splunk Search https://community.splunk.com/t5/Splunk-Search/Search-top-4-destinations-based-on-usage-by-IP-and-put-remaining/m-p/399589#M115835 <P>I am bit new to splunk.</P> <P>I want to search top 4 destinations downloads and total ‘Other’ traffic for each source ip.</P> <PRE><CODE>site src_ip destination download ALSTP 10.98.66.5 Youtube 150 ALSTP 10.98.66.5 Google 103 ALSTP 10.98.66.5 Microsoft_Updates 85 ALSTP 10.98.66.5 Dropbox 25 ALSTP 10.98.66.5 Other 430 ALSTP 10.98.70.10 Google 12 ALSTP 10.98.70.10 Youtube 650 ALSTP 10.98.70.10 Apple_Updates 502 ALSTP 10.98.70.10 iTunes 300 ALSTP 10.98.70.10 Other 4040 </CODE></PRE> <P>I tried below search but it is not giving the desired result.</P> <PRE><CODE>| ess eaddr=172.16.9.60:9200 index=nuage_dpi_flowstats-* tsfield=timestamp query="EnterpriseName=Lismore Diocese" | eval _time=strftime(_time/1000, "%Y-%m-%d %H:%M:%S") | stats sum(TotalMB) as "Total(MB)" by DstIp, L7ClassEnhanced, DestinationNSG | sort 5 -"Total(MB)" | addcoltotals labelfield=L7ClassEnhanced label=Others | rename L7ClassEnhanced as Destination, DstIp as SrcIp, DestinationNSG as SourceNSG | search NOT SourceNSG=ULT1_NSGX1 </CODE></PRE> <P>.</P> <PRE><CODE>SrcIp Destination SourceNSG Total(MB) 10.102.57.21 HTTP PMAC_NSG1 395.26492023463334 10.101.144.193 GOOGLE CASH_NSG1 88.199470520036470 10.101.148.114 YOUTUBE CASH_NSG1 201.709753036428500 10.102.81.44 SSL PMREG_NSG1 163.37909603115 Others 5072.701299667548000 </CODE></PRE> Thu, 30 May 2019 04:07:08 GMT ahmadsaadwarrai 2019-05-30T04:07:08Z Search top 4 destinations based on usage by IP and put remaining in others for each IP https://community.splunk.com/t5/Splunk-Search/Search-top-4-destinations-based-on-usage-by-IP-and-put-remaining/m-p/399589#M115835 <P>I am bit new to splunk.</P> <P>I want to search top 4 destinations downloads and total ‘Other’ traffic for each source ip.</P> <PRE><CODE>site src_ip destination download ALSTP 10.98.66.5 Youtube 150 ALSTP 10.98.66.5 Google 103 ALSTP 10.98.66.5 Microsoft_Updates 85 ALSTP 10.98.66.5 Dropbox 25 ALSTP 10.98.66.5 Other 430 ALSTP 10.98.70.10 Google 12 ALSTP 10.98.70.10 Youtube 650 ALSTP 10.98.70.10 Apple_Updates 502 ALSTP 10.98.70.10 iTunes 300 ALSTP 10.98.70.10 Other 4040 </CODE></PRE> <P>I tried below search but it is not giving the desired result.</P> <PRE><CODE>| ess eaddr=172.16.9.60:9200 index=nuage_dpi_flowstats-* tsfield=timestamp query="EnterpriseName=Lismore Diocese" | eval _time=strftime(_time/1000, "%Y-%m-%d %H:%M:%S") | stats sum(TotalMB) as "Total(MB)" by DstIp, L7ClassEnhanced, DestinationNSG | sort 5 -"Total(MB)" | addcoltotals labelfield=L7ClassEnhanced label=Others | rename L7ClassEnhanced as Destination, DstIp as SrcIp, DestinationNSG as SourceNSG | search NOT SourceNSG=ULT1_NSGX1 </CODE></PRE> <P>.</P> <PRE><CODE>SrcIp Destination SourceNSG Total(MB) 10.102.57.21 HTTP PMAC_NSG1 395.26492023463334 10.101.144.193 GOOGLE CASH_NSG1 88.199470520036470 10.101.148.114 YOUTUBE CASH_NSG1 201.709753036428500 10.102.81.44 SSL PMREG_NSG1 163.37909603115 Others 5072.701299667548000 </CODE></PRE> Thu, 30 May 2019 04:07:08 GMT https://community.splunk.com/t5/Splunk-Search/Search-top-4-destinations-based-on-usage-by-IP-and-put-remaining/m-p/399589#M115835 ahmadsaadwarrai 2019-05-30T04:07:08Z Re: Search top 4 destinations based on usage by IP and put remaining in others for each IP https://community.splunk.com/t5/Splunk-Search/Search-top-4-destinations-based-on-usage-by-IP-and-put-remaining/m-p/399590#M115836 <P>You will need to use stats in combination with eval to calculate a sum of the bytes for download traffic and non-download traffic. Hopefully there is a key in your data that will help you differentiate. Here is an example</P> <PRE><CODE>index=foo | stats sum(eval(if(action="download", TotalMB, NULL))) AS download_traffic sum(eval(if(action!="download", TotalMB, NULL))) AS other_traffic by src_ip </CODE></PRE> <P>For reference: <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Usestatswithevalexpressionsandfunctions">https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Usestatswithevalexpressionsandfunctions</A></P> Thu, 30 May 2019 13:57:10 GMT https://community.splunk.com/t5/Splunk-Search/Search-top-4-destinations-based-on-usage-by-IP-and-put-remaining/m-p/399590#M115836 pkeenan87 2019-05-30T13:57:10Z Re: Search top 4 destinations based on usage by IP and put remaining in others for each IP https://community.splunk.com/t5/Splunk-Search/Search-top-4-destinations-based-on-usage-by-IP-and-put-remaining/m-p/399591#M115837 <P>Thanks for the reply, I don't want to differentiate download and non-download traffic, </P> <P>I want to list top 4 destination based on usage and all others destinations as "Others" for each ip, like below:</P> <OL> <LI> site src_ip destination download(MB)</LI> <LI> ALSTP 10.98.66.5 Youtube 150</LI> <LI> ALSTP 10.98.66.5 Google 103</LI> <LI> ALSTP 10.98.66.5 Microsoft_Updates 85</LI> <LI> ALSTP 10.98.66.5 Dropbox 25</LI> <LI> ALSTP 10.98.66.5 Other 430</LI> <LI> ALSTP 10.98.70.10 Google 12</LI> <LI> ALSTP 10.98.70.10 Youtube 650</LI> <LI> ALSTP 10.98.70.10 Apple_Updates 502</LI> <LI>ALSTP 10.98.70.10 iTunes 300</LI> <LI>ALSTP 10.98.70.10 Other 4040</LI> </OL> Thu, 30 May 2019 23:21:15 GMT https://community.splunk.com/t5/Splunk-Search/Search-top-4-destinations-based-on-usage-by-IP-and-put-remaining/m-p/399591#M115837 ahmadsaadwarrai 2019-05-30T23:21:15Z Re: Search top 4 destinations based on usage by IP and put remaining in others for each IP https://community.splunk.com/t5/Splunk-Search/Search-top-4-destinations-based-on-usage-by-IP-and-put-remaining/m-p/399592#M115838 <P>Below search gives the desired result:</P> <PRE><CODE>| ess eaddr=172.16.9.60:9200 index=nuage_dpi_flowstats-* tsfield=timestamp query="EnterpriseName=Lismore Diocese" | eval _time=strftime(_time/1000, "%Y-%m-%d %H:%M:%S") | stats sum(TotalMB) as "Total(MB)" by DstIp, L7ClassEnhanced, DestinationNSG | sort DstIp -"Total(MB)" | eval counter = 1 | streamstats sum(counter) as seqNo by DstIp | eval L7ClassEnhanced=case(seqNo &lt; 5, L7ClassEnhanced, seqNo &gt; 4, "Others") | rename "Total(MB)" as TotalMB | stats sum(TotalMB) as "Total(MB)" by DstIp, L7ClassEnhanced, DestinationNSG | fields - counter seqNo | sort DstIp -"Total(MB)" | search NOT DestinationNSG=ULT1_NSGX1 </CODE></PRE> Thu, 06 Jun 2019 04:11:55 GMT https://community.splunk.com/t5/Splunk-Search/Search-top-4-destinations-based-on-usage-by-IP-and-put-remaining/m-p/399592#M115838 ahmadsaadwarrai 2019-06-06T04:11:55Z Re: Search top 4 destinations based on usage by IP and put remaining in others for each IP https://community.splunk.com/t5/Splunk-Search/Search-top-4-destinations-based-on-usage-by-IP-and-put-remaining/m-p/399593#M115839 <P>@ahmadsaadwarraich If your problem is resolved, please accept an answer to help future readers.</P> Thu, 06 Jun 2019 11:34:31 GMT https://community.splunk.com/t5/Splunk-Search/Search-top-4-destinations-based-on-usage-by-IP-and-put-remaining/m-p/399593#M115839 richgalloway 2019-06-06T11:34:31Z