https://community.splunk.com/t5/Splunk-Search/Sum-of-most-used-application-in-bytes-when-I-have-multiple/m-p/271094#M190127 <P>Try this</P> <PRE><CODE>.... | eval mb=(bytes/1024)/1024 | rename user AS "User" | chart sum(mb) AS "Data Used in MB" over User by Application | addtotals | sort -Total </CODE></PRE> Tue, 26 Jul 2016 00:18:13 GMT sundareshr 2016-07-26T00:18:13Z https://community.splunk.com/t5/Splunk-Search/Sum-of-most-used-application-in-bytes-when-I-have-multiple/m-p/271093#M190126 <P>Hi everyone, I'm pretty new to Splunk (just started a little more than 2 weeks ago). </P> <P>Currently I'm making a panel that would display columns with the following: User - Most Data Consumed Application - Most Data Usage from Application in MB - Data Used in MB. So for example, I have the following - John Smith - youtube.com - 123523 MB - 548432 MB </P> <P>I'm having trouble figuring out how to get Splunk to compute the most data consumed application and display it with the application in my columns. I've only been able to create the 1st and 4th column, by using stats. </P> <P>My current code is:<BR /> ... | eval mb=(bytes/1024)/1024 | rename user AS "User" | stats sum(mb) AS "Data Used in MB" by "User" | sort -num("Data Used in MB")</P> <P>I was thinking of adding another calculation to the stats command, but I can't think of a way to do this off the top of my head.</P> <P>Any help would be appreciated.</P> <P>Thank you,<BR /> Daniel</P> Mon, 25 Jul 2016 21:18:13 GMT https://community.splunk.com/t5/Splunk-Search/Sum-of-most-used-application-in-bytes-when-I-have-multiple/m-p/271093#M190126 ddong 2016-07-25T21:18:13Z https://community.splunk.com/t5/Splunk-Search/Sum-of-most-used-application-in-bytes-when-I-have-multiple/m-p/271094#M190127 <P>Try this</P> <PRE><CODE>.... | eval mb=(bytes/1024)/1024 | rename user AS "User" | chart sum(mb) AS "Data Used in MB" over User by Application | addtotals | sort -Total </CODE></PRE> Tue, 26 Jul 2016 00:18:13 GMT https://community.splunk.com/t5/Splunk-Search/Sum-of-most-used-application-in-bytes-when-I-have-multiple/m-p/271094#M190127 sundareshr 2016-07-26T00:18:13Z https://community.splunk.com/t5/Splunk-Search/Sum-of-most-used-application-in-bytes-when-I-have-multiple/m-p/271095#M190128 <P>This works quite nice, but instead of just displaying the most used one, it displays all the applications I have in a table. Furthermore, it's not really what I'm looking for table structure wise:<BR /> User - application 1 - application 2 - application 3 - Total<BR /> jsmith - 0.12315MB - 0.16684MB - 4.12562MB - 4.41561MB</P> <P>I want to have the table structured like this:<BR /> User - Data in MB - Application - Total<BR /> jsmith - 4.12562MB - application 3 - 4.41561</P> <P>Thank you for the attempt though <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Edit: made a mistake earlier in my search query and results became different after I took another look. So the results above are what I'm currently seeing.</P> Thu, 28 Jul 2016 15:06:53 GMT https://community.splunk.com/t5/Splunk-Search/Sum-of-most-used-application-in-bytes-when-I-have-multiple/m-p/271095#M190128 ddong 2016-07-28T15:06:53Z