topic Re: How to find out the top 30 applications by bandwidth in Splunk Search

How to find out the top 30 applications by bandwidth

annageorgiou — Mon, 03 Feb 2020 02:35:10 GMT

Hi. I'm new to splunk and trying to code a search for top 30 applications by bandwidth. So far I have the following coding and wondering if anyone has any ideas on how I can get it to work. I have put an '*' in my index as it's classified. I would like it in a table.

index=* sourcetype=*=* OR * 
| eval byteReceivedMB=round(rcvdbyte/1024/1024,2) 
| eval byteSentMB=round(sentbyte/1024/1024,2) 
| stats sum(byteReceivedMB) as "Megabytes Received" sum(byteSentMB) as "Megabytes Sent" by app 
| addtotals 
| dedup app 
| sort limit=30 -Total

Re: How to find out the top 30 applications by bandwidth

to4kawa — Mon, 03 Feb 2020 09:54:22 GMT

any problem?
looks like it works.

Re: How to find out the top 30 applications by bandwidth

DalJeanis — Mon, 03 Feb 2020 17:54:31 GMT

Make sure there is a space between the - and the fields that are to be sorted descending. Otherwise, Splunk has a tendency to think that -Total is the name of the field it is supposed to sort on.

Re: How to find out the top 30 applications by bandwidth

annageorgiou — Mon, 03 Feb 2020 22:20:09 GMT

Thank you. Played around with the total and the spacing and it works.

I had to change the coding above to show:-

This is giving me some sent and received responses. Hopefully it's correct.

Re: How to find out the top 30 applications by bandwidth

annageorgiou — Mon, 03 Feb 2020 22:21:51 GMT

I had to change the coding above to show:-

This is giving me some sent and received responses. Hopefully it's correct. I had to change the spacing for total as menitoned in the below answer.

Re: How to find out the top 30 applications by bandwidth

annageorgiou — Mon, 03 Feb 2020 22:46:07 GMT

In the end, I had to use this coding and it seems to work. Sorry above 'eval' coding (in my original question) didn't work.