https://community.splunk.com/t5/Splunk-Search/Syntax-for-top-x-application-by-usage-per-source-ip/m-p/400499#M170953 <P>I am able to do it using below search:</P> <P>| ess eaddr=172.20.8.60:9200 index=nuage_dpi_flowstats-* tsfield=timestamp query="EnterpriseName=Lismore Diocese" <BR /> | eval _time=strftime(_time/1000, "%Y-%m-%d %H:%M:%S") <BR /> | stats sum(TotalMB) as "Total(MB)" by DstIp, L7ClassEnhanced, DestinationNSG <BR /> | sort DstIp -"Total(MB)" <BR /> | eval counter = 1 <BR /> | streamstats sum(counter) as seqNo by DstIp <BR /> | where seqNo &lt; 5 <BR /> | fields - counter seqNo <BR /> | search NOT DestinationNSG=ULT1_NSGX1 </P> Wed, 30 Sep 2020 00:44:22 GMT ahmadsaadwarrai 2020-09-30T00:44:22Z https://community.splunk.com/t5/Splunk-Search/Syntax-for-top-x-application-by-usage-per-source-ip/m-p/400497#M170951 <P>I have raw search:</P> <P>| ess eaddr=172.20.8.60:9200 index=nuage_dpi_flowstats-* tsfield=timestamp query="EnterpriseName=Lismore Diocese" <BR /> | eval _time=strftime(_time/1000, "%Y-%m-%d %H:%M:%S")<BR /> | stats sum(TotalMB) as "Total(MB)" by DstIp, L7ClassEnhanced, DestinationNSG <BR /> | search NOT DestinationNSG=ULT1_NSGX</P> <P>How do I add top parameters, saying top x applications based on usage per source IP.</P> Wed, 30 Sep 2020 00:46:02 GMT https://community.splunk.com/t5/Splunk-Search/Syntax-for-top-x-application-by-usage-per-source-ip/m-p/400497#M170951 ahmadsaadwarrai 2020-09-30T00:46:02Z https://community.splunk.com/t5/Splunk-Search/Syntax-for-top-x-application-by-usage-per-source-ip/m-p/400498#M170952 <PRE><CODE>&lt;your search&gt; | top 10 application by sourceIP </CODE></PRE> Fri, 31 May 2019 02:49:56 GMT https://community.splunk.com/t5/Splunk-Search/Syntax-for-top-x-application-by-usage-per-source-ip/m-p/400498#M170952 nabeel652 2019-05-31T02:49:56Z https://community.splunk.com/t5/Splunk-Search/Syntax-for-top-x-application-by-usage-per-source-ip/m-p/400499#M170953 <P>I am able to do it using below search:</P> <P>| ess eaddr=172.20.8.60:9200 index=nuage_dpi_flowstats-* tsfield=timestamp query="EnterpriseName=Lismore Diocese" <BR /> | eval _time=strftime(_time/1000, "%Y-%m-%d %H:%M:%S") <BR /> | stats sum(TotalMB) as "Total(MB)" by DstIp, L7ClassEnhanced, DestinationNSG <BR /> | sort DstIp -"Total(MB)" <BR /> | eval counter = 1 <BR /> | streamstats sum(counter) as seqNo by DstIp <BR /> | where seqNo &lt; 5 <BR /> | fields - counter seqNo <BR /> | search NOT DestinationNSG=ULT1_NSGX1 </P> Wed, 30 Sep 2020 00:44:22 GMT https://community.splunk.com/t5/Splunk-Search/Syntax-for-top-x-application-by-usage-per-source-ip/m-p/400499#M170953 ahmadsaadwarrai 2020-09-30T00:44:22Z https://community.splunk.com/t5/Splunk-Search/Syntax-for-top-x-application-by-usage-per-source-ip/m-p/400500#M170954 <PRE><CODE>| stats values('Total(MB)') by source_ip | sort 0 - 'Total(MB)' | head limit=x </CODE></PRE> <P>Here 'Total(MB)' is the usage and limit returns first x records from results.</P> Fri, 31 May 2019 08:32:44 GMT https://community.splunk.com/t5/Splunk-Search/Syntax-for-top-x-application-by-usage-per-source-ip/m-p/400500#M170954 darshildave 2019-05-31T08:32:44Z