Splunk Search

How to find out the top 30 applications by bandwidth

New Member

Hi. I'm new to splunk and trying to code a search for top 30 applications by bandwidth. So far I have the following coding and wondering if anyone has any ideas on how I can get it to work. I have put an '*' in my index as it's classified. I would like it in a table.

index=* sourcetype=*=* OR * 
| eval byteReceivedMB=round(rcvdbyte/1024/1024,2) 
| eval byteSentMB=round(sentbyte/1024/1024,2) 
| stats sum(byteReceivedMB) as "Megabytes Received" sum(byteSentMB) as "Megabytes Sent" by app 
| addtotals 
| dedup app 
| sort limit=30 -Total
0 Karma

New Member

index= *
| eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2)
| eval TotalGB=round(TotalMB/1024,2)
| stats sum(sentbyte) AS TotalSent, sum(rcvdbyte) AS TotalRcvd by app
| addtotals
| dedup app
| sort limit=30 - total

In the end, I had to use this coding and it seems to work. Sorry above 'eval' coding (in my original question) didn't work.

0 Karma

SplunkTrust
SplunkTrust

Make sure there is a space between the - and the fields that are to be sorted descending. Otherwise, Splunk has a tendency to think that -Total is the name of the field it is supposed to sort on.

0 Karma

New Member

Thank you. Played around with the total and the spacing and it works.

I had to change the coding above to show:-

index=*
| eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2)
| eval TotalGB=round(TotalMB/1024,2)
| stats sum(sentbyte) AS TotalSent, sum(rcvdbyte) AS TotalRcvd by app
| addtotals
| dedup app
| sort limit=30 - total

This is giving me some sent and received responses. Hopefully it's correct.

0 Karma

SplunkTrust
SplunkTrust

any problem?
looks like it works.

0 Karma

New Member

I had to change the coding above to show:-

index=*
| eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2)
| eval TotalGB=round(TotalMB/1024,2)
| stats sum(sentbyte) AS TotalSent, sum(rcvdbyte) AS TotalRcvd by app
| addtotals
| dedup app
| sort limit=30 - total

This is giving me some sent and received responses. Hopefully it's correct. I had to change the spacing for total as menitoned in the below answer.

0 Karma