https://community.splunk.com/t5/Splunk-Search/Using-Stats-Command/m-p/180680#M52056 <P>this search works great to provide me a list of hosts showing how much license usage over a 1 day period, but when I put it in a bar graph it does not work well because the stats command provides an OVERALL total as well as a total for each host, how to I remove the overall total and only show the total for the top 5 hosts.</P> <P>index="_internal" source="*license_usage.log" <BR /> | rename h as host b as bytes<BR /> | eval my_splunk_server = splunk_server <BR /> | fields source mysourcetype host bytes pool originator my_splunk_server <BR /> | eval mbytes=((bytes/1024)/1024) <BR /> | stats sum(mbytes) as mbytes by host </P> Mon, 28 Sep 2020 15:29:50 GMT rdelmark 2020-09-28T15:29:50Z https://community.splunk.com/t5/Splunk-Search/Using-Stats-Command/m-p/180680#M52056 <P>this search works great to provide me a list of hosts showing how much license usage over a 1 day period, but when I put it in a bar graph it does not work well because the stats command provides an OVERALL total as well as a total for each host, how to I remove the overall total and only show the total for the top 5 hosts.</P> <P>index="_internal" source="*license_usage.log" <BR /> | rename h as host b as bytes<BR /> | eval my_splunk_server = splunk_server <BR /> | fields source mysourcetype host bytes pool originator my_splunk_server <BR /> | eval mbytes=((bytes/1024)/1024) <BR /> | stats sum(mbytes) as mbytes by host </P> Mon, 28 Sep 2020 15:29:50 GMT https://community.splunk.com/t5/Splunk-Search/Using-Stats-Command/m-p/180680#M52056 rdelmark 2020-09-28T15:29:50Z https://community.splunk.com/t5/Splunk-Search/Using-Stats-Command/m-p/180681#M52057 <P>I think something like this should work:</P> <PRE><CODE>index="_internal" source="*license_usage.log" | rename h as host b as bytes | eval my_splunk_server = splunk_server | fields source mysourcetype host bytes pool originator my_splunk_server | eval mbytes=((bytes/1024)/1024) | stats sum(mbytes) as mbytes by host | sort -mbytes | head 5 </CODE></PRE> Tue, 17 Dec 2013 00:42:06 GMT https://community.splunk.com/t5/Splunk-Search/Using-Stats-Command/m-p/180681#M52057 bruceclarke 2013-12-17T00:42:06Z https://community.splunk.com/t5/Splunk-Search/Using-Stats-Command/m-p/180682#M52058 <P>I as far as I know, the stats command, especially what your have written, should not be providing any OVERALL total. Would you mind sharing the final output (tabular) before chart command. Also to get top 5, you can sort by mbytes and use "| head 5" in the end of search.</P> Tue, 17 Dec 2013 00:43:15 GMT https://community.splunk.com/t5/Splunk-Search/Using-Stats-Command/m-p/180682#M52058 somesoni2 2013-12-17T00:43:15Z https://community.splunk.com/t5/Splunk-Search/Using-Stats-Command/m-p/180683#M52059 <P>Here are the results I get when I added the Head 5 and sort commands suggested. It is showing the overall TOTAL mybtes used for the 24hr period, as well as the mbtyes used for each host. When I then click on the results chart icon to turn it into a bar chart it looks bad because I am charting the Total mbytes used for the entire day when I only want a chart with the individual hosts.</P> <P>host mbytes<BR /> 39891.08222<BR /> scom01ms162 163.468506<BR /> dcmenprd1 163.271321<BR /> splk01as162 160.080222<BR /> sfp01spare 135.03406</P> Tue, 17 Dec 2013 16:07:09 GMT https://community.splunk.com/t5/Splunk-Search/Using-Stats-Command/m-p/180683#M52059 rdelmark 2013-12-17T16:07:09Z