- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to find out the top 30 applications by bandwid...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to find out the top 30 applications by bandwidth
Hi. I'm new to splunk and trying to code a search for top 30 applications by bandwidth. So far I have the following coding and wondering if anyone has any ideas on how I can get it to work. I have put an '*' in my index as it's classified. I would like it in a table.
index=* sourcetype=*=* OR *
| eval byteReceivedMB=round(rcvdbyte/1024/1024,2)
| eval byteSentMB=round(sentbyte/1024/1024,2)
| stats sum(byteReceivedMB) as "Megabytes Received" sum(byteSentMB) as "Megabytes Sent" by app
| addtotals
| dedup app
| sort limit=30 -Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index= *
| eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2)
| eval TotalGB=round(TotalMB/1024,2)
| stats sum(sentbyte) AS TotalSent, sum(rcvdbyte) AS TotalRcvd by app
| addtotals
| dedup app
| sort limit=30 - total
In the end, I had to use this coding and it seems to work. Sorry above 'eval' coding (in my original question) didn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure there is a space between the - and the fields that are to be sorted descending. Otherwise, Splunk has a tendency to think that -Total is the name of the field it is supposed to sort on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. Played around with the total and the spacing and it works.
I had to change the coding above to show:-
index=*
| eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2)
| eval TotalGB=round(TotalMB/1024,2)
| stats sum(sentbyte) AS TotalSent, sum(rcvdbyte) AS TotalRcvd by app
| addtotals
| dedup app
| sort limit=30 - total
This is giving me some sent and received responses. Hopefully it's correct.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
any problem?
looks like it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had to change the coding above to show:-
index=*
| eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2)
| eval TotalGB=round(TotalMB/1024,2)
| stats sum(sentbyte) AS TotalSent, sum(rcvdbyte) AS TotalRcvd by app
| addtotals
| dedup app
| sort limit=30 - total
This is giving me some sent and received responses. Hopefully it's correct. I had to change the spacing for total as menitoned in the below answer.
Unleash Unified Security and Observability with Splunk Cloud Platform
Splunk AppDynamics with Cisco Secure Application
New Splunk Innovations Enhance Performance and Accelerate Troubleshooting
