Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find out the top 30 applications by bandwidth

annageorgiou
New Member
‎02-02-2020 06:35 PM

Hi. I'm new to splunk and trying to code a search for top 30 applications by bandwidth. So far I have the following coding and wondering if anyone has any ideas on how I can get it to work. I have put an '*' in my index as it's classified. I would like it in a table. 

index=* sourcetype=*=* OR * 
| eval byteReceivedMB=round(rcvdbyte/1024/1024,2) 
| eval byteSentMB=round(sentbyte/1024/1024,2) 
| stats sum(byteReceivedMB) as "Megabytes Received" sum(byteSentMB) as "Megabytes Sent" by app 
| addtotals 
| dedup app 
| sort limit=30 -Total
0 Karma
Reply

annageorgiou
New Member
‎02-03-2020 02:46 PM

index= *
| eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2)
| eval TotalGB=round(TotalMB/1024,2)
| stats sum(sentbyte) AS TotalSent, sum(rcvdbyte) AS TotalRcvd by app
| addtotals
| dedup app
| sort limit=30 - total

In the end, I had to use this coding and it seems to work. Sorry above 'eval' coding (in my original question) didn't work.

0 Karma
Reply

DalJeanis
Legend
‎02-03-2020 09:54 AM

Make sure there is a space between the - and the fields that are to be sorted descending. Otherwise, Splunk has a tendency to think that -Total is the name of the field it is supposed to sort on.

0 Karma
Reply

annageorgiou
New Member
‎02-03-2020 02:20 PM

Thank you. Played around with the total and the spacing and it works.

I had to change the coding above to show:-

index=*
| eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2)
| eval TotalGB=round(TotalMB/1024,2)
| stats sum(sentbyte) AS TotalSent, sum(rcvdbyte) AS TotalRcvd by app
| addtotals
| dedup app
| sort limit=30 - total

This is giving me some sent and received responses. Hopefully it's correct.

0 Karma
Reply

to4kawa
Ultra Champion
‎02-03-2020 01:54 AM

any problem?
looks like it works.

0 Karma
Reply

annageorgiou
New Member
‎02-03-2020 02:21 PM

I had to change the coding above to show:-

index=*
| eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2)
| eval TotalGB=round(TotalMB/1024,2)
| stats sum(sentbyte) AS TotalSent, sum(rcvdbyte) AS TotalRcvd by app
| addtotals
| dedup app
| sort limit=30 - total

This is giving me some sent and received responses. Hopefully it's correct. I had to change the spacing for total as menitoned in the below answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top