Splunk Search

How to edit my search to get the top 3 apps by total_byte and group all other app results as "Other"?

Contributor

Hi Splukers,

I cannot get a search to produce what I want. Please help me.
I tried the following search and got results.

index=* app="*"
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| addtotals fieldname=total_byte sum_*
| sort - total_byte

Results

app             sum_send    sum_rcv  total_byte
HTTP.BROWSER    7775148     50982187    58757335
Yum             300136      13395774    13695910
SSH             5558054  6727574     12285628
Wget            1029059  10632394   11661453
DNS          9008       3125787  3134795

Next I want to get top 3 apps and others list by total_byte like the following.

app          total_byte
HTTP.BROWSER    58757335
Yum             13695910
SSH          12285628
Other           14796248

I tried this search, but I lost the app name..
And I also tried top total_bytes by app commands etc..but no good.

index=* app="*"
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| addtotals fieldname=total_byte sum_*
| sort - total_byte
| top limit=3 total_byte showcount=f showperc=f useother=t

So, how do I get what I want?
Thank you very much.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

The top command works based on number of events (not on magnitude of a field value) hence that didn't work. Try something like this

 index=* app="*"
 | chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
 | addtotals fieldname=total_byte sum_*
 | sort - total_byte
 | eval rank=1 | accum rank | appendpipe [where rank>3 | stats sum(total_byte) as total_byte | eval app="Others" | eval rank=3] 
 | where rank <4 | fields - rank

View solution in original post

SplunkTrust
SplunkTrust

The top command works based on number of events (not on magnitude of a field value) hence that didn't work. Try something like this

 index=* app="*"
 | chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
 | addtotals fieldname=total_byte sum_*
 | sort - total_byte
 | eval rank=1 | accum rank | appendpipe [where rank>3 | stats sum(total_byte) as total_byte | eval app="Others" | eval rank=3] 
 | where rank <4 | fields - rank

View solution in original post

Contributor

Thank you, somesoni2.
Great! A series of searches from "rank" field to "appendpipe" is a very convenient way.
I like it.

0 Karma

SplunkTrust
SplunkTrust

This might look a bit overcomplicated and i'm sure there's an easier way, but I didn't manage to get top working as you would expect so this is my approach using sort and streamstats instead:

index= app=""
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| eval total_byte = sum_send + sum_rcv
| sort num(total_byte)
| streamstats count, sum(total_byte) as sum_total_byte
| eval total_byte = if(count >= 3, total_byte, sum_total_byte)
| eval app = if(count >= 3, app, "OTHER")
| fields app, total_byte
| sort 4 -num(total_byte)

Note this is hardcoded to work with the top 3 only.

0 Karma

Motivator

you use ' head ' command like that :

index=* app=""
| chart sum(sentbyte) as sum_send, sum(rcvdbyte) as sum_rcv by app
| addtotals fieldname=total_byte sum_

| sort - total_byte
| head 3

0 Karma