topic Re: How to get top 10 users by usage per day for last 30 days in Splunk Search

How to get top 10 users by usage per day for last 30 days

vrmandadi — Fri, 11 Jun 2021 14:28:30 GMT

I have an index which gives user information of how much GB of data they used and from what source .I would like to get the top 10 users based on the GB used per day for the last 30 days in a report .How can a create a report which will show date top 10 users , GB used and the source followed by the next date with top 10 users,GB used and source

The below search gives the top 10 users but I want to have it by each day for last 30 days

index=abc sourcetype=xyz | stats sum(gb) as gb by user source
| sort - gb
| head 10

Re: How to get top 10 users by usage per day for last 30 days

kamlesh_vaghela — Fri, 11 Jun 2021 14:48:14 GMT

@vrmandadi =

Can you please try this?

index=abc sourcetype=xyz | eval user_source=user."-".source | timechart span=1d sum(gb) as gb by user_source WHERE max in top10

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Re: How to get top 10 users by usage per day for last 30 days

vrmandadi — Fri, 11 Jun 2021 15:11:30 GMT

@kamlesh_vaghela .Thank you fro you reply . the search you provided which has by user_source ..but my search has user and source as separate fields not as one field like user_source and also the results are not sorting in highest order

Re: How to get top 10 users by usage per day for last 30 days

kamlesh_vaghela — Fri, 11 Jun 2021 15:21:48 GMT

@vrmandadi

In my suggested search, the timechart command has been used to achieve per day summation in GB. If you see in my search I created new field user_source by ```| eval user_source=user."-".source``` . The purpose of this eval is to simulate same value of user and source from chart command.

mean while you can try this also for understanding of search.

index=abc sourcetype=xyz | timechart span=1d sum(gb) as gb by user WHERE max in top10 index=abc sourcetype=xyz | timechart span=1d sum(gb) as gb by source WHERE max in top10

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Re: How to get top 10 users by usage per day for last 30 days

vrmandadi — Fri, 11 Jun 2021 16:30:48 GMT

Thank You but the join of two fields is correct because the user may have different value in different dates

Re: How to get top 10 users by usage per day for last 30 days

kamlesh_vaghela — Fri, 11 Jun 2021 16:32:48 GMT

Yes,

Please accept the answer to help community.

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.