- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to get the top 3 apps by tot...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splukers,
I cannot get a search to produce what I want. Please help me.
I tried the following search and got results.
index=* app="*"
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| addtotals fieldname=total_byte sum_*
| sort - total_byte
Results
app sum_send sum_rcv total_byte
HTTP.BROWSER 7775148 50982187 58757335
Yum 300136 13395774 13695910
SSH 5558054 6727574 12285628
Wget 1029059 10632394 11661453
DNS 9008 3125787 3134795
Next I want to get top 3 apps and others list by total_byte like the following.
app total_byte
HTTP.BROWSER 58757335
Yum 13695910
SSH 12285628
Other 14796248
I tried this search, but I lost the app name..
And I also tried top total_bytes by app commands etc..but no good.
index=* app="*"
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| addtotals fieldname=total_byte sum_*
| sort - total_byte
| top limit=3 total_byte showcount=f showperc=f useother=t
So, how do I get what I want?
Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The top command works based on number of events (not on magnitude of a field value) hence that didn't work. Try something like this
index=* app="*"
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| addtotals fieldname=total_byte sum_*
| sort - total_byte
| eval rank=1 | accum rank | appendpipe [where rank>3 | stats sum(total_byte) as total_byte | eval app="Others" | eval rank=3]
| where rank <4 | fields - rank
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The top command works based on number of events (not on magnitude of a field value) hence that didn't work. Try something like this
index=* app="*"
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| addtotals fieldname=total_byte sum_*
| sort - total_byte
| eval rank=1 | accum rank | appendpipe [where rank>3 | stats sum(total_byte) as total_byte | eval app="Others" | eval rank=3]
| where rank <4 | fields - rank
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, somesoni2.
Great! A series of searches from "rank" field to "appendpipe" is a very convenient way.
I like it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This might look a bit overcomplicated and i'm sure there's an easier way, but I didn't manage to get top working as you would expect so this is my approach using sort and streamstats instead:
index= app=""
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| eval total_byte = sum_send + sum_rcv
| sort num(total_byte)
| streamstats count, sum(total_byte) as sum_total_byte
| eval total_byte = if(count >= 3, total_byte, sum_total_byte)
| eval app = if(count >= 3, app, "OTHER")
| fields app, total_byte
| sort 4 -num(total_byte)
Note this is hardcoded to work with the top 3 only.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you use ' head ' command like that :
index=* app=""
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| addtotals fieldname=total_byte sum_
| sort - total_byte
| head 3
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
