https://community.splunk.com/t5/Splunk-Search/How-to-get-top-2-MB-users-per-website/m-p/166469#M47399 <P>Hi!<BR /> That maybe someone has been through this. I have the following table as a result of search:</P> <PRE><CODE>**website** **user** **MB** google.com jperez 125.71 facebook.com smartinez 116.90 facebook.com jperez 92.45 facebook.com asevalloz 71.09 twitter.com jperez 63.85 google.com marevalo 43.85 google.com arios 23.85 twitter.com lgutierrez 13.85 facebook.com asevalloz 11.09 </CODE></PRE> <P>And what I would like is to get the 2 users that generate more MB per website. </P> <PRE><CODE>**website** **user** **MB** google.com jperez 125.71 google.com marevalo 43.85 facebook.com smartinez 116.90 facebook.com jperez 92.45 twitter.com jperez 63.85 twitter.com lgutierrez 13.85 </CODE></PRE> <P>I tried with: <CODE>search...| top 3 MB website by user</CODE><BR /> But it turned out, I would appreciate it much <BR /> :) </P> <P>regards</P> Thu, 31 Jul 2014 23:45:40 GMT jrodriguezap 2014-07-31T23:45:40Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-2-MB-users-per-website/m-p/166469#M47399 <P>Hi!<BR /> That maybe someone has been through this. I have the following table as a result of search:</P> <PRE><CODE>**website** **user** **MB** google.com jperez 125.71 facebook.com smartinez 116.90 facebook.com jperez 92.45 facebook.com asevalloz 71.09 twitter.com jperez 63.85 google.com marevalo 43.85 google.com arios 23.85 twitter.com lgutierrez 13.85 facebook.com asevalloz 11.09 </CODE></PRE> <P>And what I would like is to get the 2 users that generate more MB per website. </P> <PRE><CODE>**website** **user** **MB** google.com jperez 125.71 google.com marevalo 43.85 facebook.com smartinez 116.90 facebook.com jperez 92.45 twitter.com jperez 63.85 twitter.com lgutierrez 13.85 </CODE></PRE> <P>I tried with: <CODE>search...| top 3 MB website by user</CODE><BR /> But it turned out, I would appreciate it much <BR /> :) </P> <P>regards</P> Thu, 31 Jul 2014 23:45:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-2-MB-users-per-website/m-p/166469#M47399 jrodriguezap 2014-07-31T23:45:40Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-2-MB-users-per-website/m-p/166470#M47400 <P>Try this - let me assume that your events contain the following fields:</P> <P>user website MB</P> <P>and that each event represents a TCP hit or something similar.</P> <PRE><CODE>yoursearchhere | stats sum(MB) as MB by website user | sort website -MB | eval counter = 1 | streamstats sum(counter) as seqNo by website | where seqNo &lt; 3 | fields - counter seqNo </CODE></PRE> <P>The <CODE>streamstats</CODE> command generates a sequence number, which resets for each website. Then the <CODE>where</CODE> eliminates all but the top 2 users for each website.</P> Fri, 01 Aug 2014 00:29:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-2-MB-users-per-website/m-p/166470#M47400 lguinn2 2014-08-01T00:29:27Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-2-MB-users-per-website/m-p/166471#M47401 <P>Excellent lguinn! <BR /> It was just the logic I had in mind but did not know how to make, I really appreciate it!<BR /> :)</P> Fri, 01 Aug 2014 02:11:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-2-MB-users-per-website/m-p/166471#M47401 jrodriguezap 2014-08-01T02:11:11Z