topic Re: How to modify my search so it shows total MB per user for the day? in Splunk Search

How to modify my search so it shows total MB per user for the day?

cm22486 — Tue, 20 Sep 2016 20:57:21 GMT

bucket _time span=1d| eval  _time = strftime(_time,"%b %d, %Y")| stats sum(eval(Bytes_Written/(1024*1024))) as MBytes_Moved, values(User_Name), values(MBytes_Moved) by _time

Above is my current search, but only shows the total MB moved by all users. I want to show total MB moved, per user, for the day.

What I am looking for would be:

Date                    MBytes_Moved          User
Sept 20, 2016           2347                  john.smith
                        4675                  john.wagner
                        534                   mike.smith
                        1215                  pablo.johnson
Sept 21, 2016           953                   john.smith
                        3246                  lonnie.murray
                        2312                  max.effort
Sept 22, 2016           2347                  jason.adams
                        9087                  john.doe
                        5876                  william.shelton

Thanks!

Re: How to modify my search so it shows total MB per user for the day?

somesoni2 — Tue, 20 Sep 2016 21:28:31 GMT

Try this

your base search |  bucket _time span=1d| eval  _time = strftime(_time,"%b %d, %Y")| stats sum(Bytes_Written) as MBytes_Moved by _time User_Name | eval MBytes_Moved=MBytes_Moved/(1024*1024) | stats sum(MBytes_Moved) as MBytes_Moved values(User_Name) values(MBytes_Moved) by _time

Updated#2 for File_Moved column

your base search |  bucket _time span=1d| eval  _time = strftime(_time,"%b %d, %Y")| stats sum(Bytes_Written) as MBytes_Moved count as File_Moved by _time User_Name | eval MBytes_Moved=MBytes_Moved/(1024*1024) | stats sum(MBytes_Moved) as MBytes_Moved list(User_Name) list(MBytes_Moved) list(File_Moved) as File_Moved by _time

Re: How to modify my search so it shows total MB per user for the day?

masonmorales — Tue, 20 Sep 2016 21:59:14 GMT

 bucket _time span=1d| eval  _time = strftime(_time,"%b %d, %Y")| stats sum(eval(Bytes_Written/(1024*1024))) as MBytes_Moved by _time User_Name

Re: How to modify my search so it shows total MB per user for the day?

cm22486 — Wed, 21 Sep 2016 19:47:03 GMT

Ahh we're close! Nice work and thank you! Last but not least, I forgot to include my "Files Moved" column in all of that. This is how I achieved "Files Moved" before, how could we append this?

stats sum(eval(Bytes_Written/(1024*1024))) as MBytes_Moved, Count(_time) as Files_Moved by User_Name

Re: How to modify my search so it shows total MB per user for the day?

somesoni2 — Wed, 21 Sep 2016 20:20:06 GMT

See the updated answer...

Re: How to modify my search so it shows total MB per user for the day?

cm22486 — Wed, 21 Sep 2016 20:31:39 GMT

http://imgur.com/a/eBfdX

Re: How to modify my search so it shows total MB per user for the day?

cm22486 — Wed, 21 Sep 2016 20:32:18 GMT

That is a link to the screenshot of my results, we are so close, thanks for all the help.

Re: How to modify my search so it shows total MB per user for the day?

somesoni2 — Wed, 21 Sep 2016 20:46:14 GMT

The values aggregation function remove duplicate values and there could very well be duplicate/same count of files moved. Instead of values function, use list function instead. I've updated the answer.

Re: How to modify my search so it shows total MB per user for the day?

cm22486 — Wed, 21 Sep 2016 20:50:32 GMT

He shoots he scores! Thanks so much, you're a wizard.