Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the top 10 URL's visited by count and then sort those 10 URL's by sum(bandwidth) in ascending order.

rsingh_splunk
Splunk Employee
Splunk Employee
‎04-14-2016 10:47 AM

So basically what i need is 3 columns which contains the top 10 visited URL's with count sorted by highest bandwidth used by them.
URL | COUNT | SUM(Bandwidth)

any help would be greatly appreciated..new to splunk.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎04-14-2016 12:59 PM

Try this

index=weblogs [search index=weblogs | top 10 url | fields url ] | stats count sum(bandwidth) as sum by url

View solution in original post

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎04-15-2016 03:13 AM

Let's avoid subsearches as much as possible. Maybe this:

index=weblogs | fields url bandwidth | stats count sum(bandwidth) as bw by url | top 10 bw

You could also sort after the stats and do a | head 10 if that top is cutting out your fields.

0 Karma
Reply
Solved! Jump to solution

rsingh_splunk
Splunk Employee
Splunk Employee
‎04-15-2016 05:09 AM

Thank Esix, but this search just shows the top 10 urls by bandwidth used, what i want is top 10 url's visited and then sort those 10 url's by bandwidth used.
any way to do it without using subsearches?

0 Karma
Reply
Solved! Jump to solution

simon_lavigne
Path Finder
‎07-20-2016 09:20 PM

Using Esix's search change | top 10 bw to | top 10 bw url

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎04-14-2016 12:59 PM

Try this

index=weblogs [search index=weblogs | top 10 url | fields url ] | stats count sum(bandwidth) as sum by url
0 Karma
Reply
Solved! Jump to solution

rsingh_splunk
Splunk Employee
Splunk Employee
‎04-15-2016 05:03 AM

Thanks a lot @sundareshr, works like a charm but the only problem is that i couldn't get the count field in my final result.
I tried adding it using fields but i get a blank column without values.

here is my search:
index=weblog [search index=weblog | top 10 url |fields url] |stats sum(bandwidth) by url | sort -sum(bandwidth) | fields url, sum(bandwidth),count

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎04-15-2016 05:55 AM

change your stats command to 

....  |stats count sum(bandwidth) by url |

To @esix point, its is best to avoid subsearches. I should have thought of that. You can change you search to 

index=weblog | stats count sum(bandwidth) as bandwidth | sort count | head 10
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...