topic How to combine the stats sum() and top functionality in my search? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-stats-sum-and-top-functionality-in-my-search/m-p/244755#M72901 <P>Hello,</P> <P>I'm trying to do something which looks like a basic need to me, but I'm stuck at finding a simple way to do it.<BR /> I have data of TCP session statistics with the following fields: Client IP, Server IP, Volume of data exchanged (bytes)<BR /> For each Client IP, I want to get the list of top 5 servers with which the Client has exchanged the most bytes (including the sum) and remaining servers as Others.</P> <P>So if my data set is<BR /> 1.2.3.4;2.3.4.5;7000<BR /> 1.2.3.4;2.3.4.5;7000<BR /> 1.2.3.4;2.3.4.6;5000<BR /> 1.2.3.4;2.3.4.7;4000<BR /> 1.2.3.4;2.3.4.8;3000<BR /> 1.2.3.4;2.3.4.9;2000<BR /> 1.2.3.4;2.3.4.10;1000<BR /> 1.2.3.4;2.3.4.11;500</P> <P>I want:<BR /> 1.2.3.4;2.3.4.5;14000<BR /> 1.2.3.4;2.3.4.6;5000<BR /> 1.2.3.4;2.3.4.7;4000<BR /> 1.2.3.4;2.3.4.8;3000<BR /> 1.2.3.4;2.3.4.9;2000<BR /> 1.2.3.4;OTHER;1500</P> <P>With stats, I could do <CODE>stats sum(bytes) by Client, Server</CODE>, but I'll get the whole statistics (my result will not be limited to the top 5 + other)<BR /> With Top, I would not be able to sum bytes.</P> <P>Regards,</P> Tue, 10 May 2016 17:55:04 GMT jebabin 2016-05-10T17:55:04Z How to combine the stats sum() and top functionality in my search? https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-stats-sum-and-top-functionality-in-my-search/m-p/244755#M72901 <P>Hello,</P> <P>I'm trying to do something which looks like a basic need to me, but I'm stuck at finding a simple way to do it.<BR /> I have data of TCP session statistics with the following fields: Client IP, Server IP, Volume of data exchanged (bytes)<BR /> For each Client IP, I want to get the list of top 5 servers with which the Client has exchanged the most bytes (including the sum) and remaining servers as Others.</P> <P>So if my data set is<BR /> 1.2.3.4;2.3.4.5;7000<BR /> 1.2.3.4;2.3.4.5;7000<BR /> 1.2.3.4;2.3.4.6;5000<BR /> 1.2.3.4;2.3.4.7;4000<BR /> 1.2.3.4;2.3.4.8;3000<BR /> 1.2.3.4;2.3.4.9;2000<BR /> 1.2.3.4;2.3.4.10;1000<BR /> 1.2.3.4;2.3.4.11;500</P> <P>I want:<BR /> 1.2.3.4;2.3.4.5;14000<BR /> 1.2.3.4;2.3.4.6;5000<BR /> 1.2.3.4;2.3.4.7;4000<BR /> 1.2.3.4;2.3.4.8;3000<BR /> 1.2.3.4;2.3.4.9;2000<BR /> 1.2.3.4;OTHER;1500</P> <P>With stats, I could do <CODE>stats sum(bytes) by Client, Server</CODE>, but I'll get the whole statistics (my result will not be limited to the top 5 + other)<BR /> With Top, I would not be able to sum bytes.</P> <P>Regards,</P> Tue, 10 May 2016 17:55:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-stats-sum-and-top-functionality-in-my-search/m-p/244755#M72901 jebabin 2016-05-10T17:55:04Z Re: How to combine the stats sum() and top functionality in my search? https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-stats-sum-and-top-functionality-in-my-search/m-p/244756#M72902 <P>Easy peasy</P> <PRE><CODE>yoursearchhere | stats sum(bytes) as totalBytes by Client, Server | sort 10 -totalBytes </CODE></PRE> <P>will return a list of the "top 10" Client-Server combinations based on the sum.</P> <P>If you want the top 5 plus "other", try this</P> <PRE><CODE>yoursearchhere | stats sum(bytes) as totalBytes by Client, Server | eventstats sum(totalBytes) as grandTotal | sort 5 -totalBytes | appendpipe [ stats sum(totalBytes) as top5 avg(grandTotal) as grandTotal | eval Client="Other" | eval Server="Other" | eval totalBytes = grandTotal - top5 ] | eval percent = round(totalBytes*100/grandTotal,1) | fields - top5 grandTotal </CODE></PRE> <P>Add the "Other" is clearly a little more tricky.</P> Tue, 10 May 2016 18:12:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-stats-sum-and-top-functionality-in-my-search/m-p/244756#M72902 lguinn2 2016-05-10T18:12:37Z