Hi Splukers,
I cannot get a search to produce what I want. Please help me.
I tried the following search and got results.
index=* app="*"
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| addtotals fieldname=total_byte sum_*
| sort - total_byte
Results
app sum_send sum_rcv total_byte
HTTP.BROWSER 7775148 50982187 58757335
Yum 300136 13395774 13695910
SSH 5558054 6727574 12285628
Wget 1029059 10632394 11661453
DNS 9008 3125787 3134795
Next I want to get top 3 apps and others list by total_byte like the following.
app total_byte
HTTP.BROWSER 58757335
Yum 13695910
SSH 12285628
Other 14796248
I tried this search, but I lost the app name..
And I also tried top total_bytes by app
commands etc..but no good.
index=* app="*"
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| addtotals fieldname=total_byte sum_*
| sort - total_byte
| top limit=3 total_byte showcount=f showperc=f useother=t
So, how do I get what I want?
Thank you very much.
The top command works based on number of events (not on magnitude of a field value) hence that didn't work. Try something like this
index=* app="*"
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| addtotals fieldname=total_byte sum_*
| sort - total_byte
| eval rank=1 | accum rank | appendpipe [where rank>3 | stats sum(total_byte) as total_byte | eval app="Others" | eval rank=3]
| where rank <4 | fields - rank
The top command works based on number of events (not on magnitude of a field value) hence that didn't work. Try something like this
index=* app="*"
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| addtotals fieldname=total_byte sum_*
| sort - total_byte
| eval rank=1 | accum rank | appendpipe [where rank>3 | stats sum(total_byte) as total_byte | eval app="Others" | eval rank=3]
| where rank <4 | fields - rank
Thank you, somesoni2.
Great! A series of searches from "rank" field to "appendpipe" is a very convenient way.
I like it.
This might look a bit overcomplicated and i'm sure there's an easier way, but I didn't manage to get top working as you would expect so this is my approach using sort and streamstats instead:
index= app=""
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| eval total_byte = sum_send + sum_rcv
| sort num(total_byte)
| streamstats count, sum(total_byte) as sum_total_byte
| eval total_byte = if(count >= 3, total_byte, sum_total_byte)
| eval app = if(count >= 3, app, "OTHER")
| fields app, total_byte
| sort 4 -num(total_byte)
Note this is hardcoded to work with the top 3 only.
you use ' head ' command like that :
index=* app=""
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| addtotals fieldname=total_byte sum_
| sort - total_byte
| head 3