Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get top 10 users by usage per day for last 30 days

vrmandadi
Builder
‎06-11-2021 07:28 AM

I have an index which gives user information of how much GB of data they used and from what source .I would like to get the top 10 users based on the GB used per day for the last 30 days in a report .How can a create a report which will show date top 10 users , GB used and the source followed by the next date with top 10 users,GB used and source 

The below search gives the top 10 users but I want to have it by each day for last 30 days 

 

index=abc sourcetype=xyz  | stats sum(gb) as gb by user source
| sort - gb
| head 10

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-11-2021 07:48 AM

@vrmandadi =

Can you please try this?

 

index=abc sourcetype=xyz | eval user_source=user."-".source | timechart span=1d sum(gb) as gb by user_source WHERE max in top10

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

View solution in original post

Tags (2)
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-11-2021 07:48 AM

@vrmandadi =

Can you please try this?

 

index=abc sourcetype=xyz | eval user_source=user."-".source | timechart span=1d sum(gb) as gb by user_source WHERE max in top10

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

Tags (2)
Reply
Solved! Jump to solution

vrmandadi
Builder
‎06-11-2021 08:08 AM

@kamlesh_vaghela  .Thank you fro you reply . the search you provided  which has  by user_source ..but my search has user and source as separate fields  not as one field like user_source and also the results are not sorting in highest order

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-11-2021 08:21 AM

@vrmandadi 

In my suggested search, the timechart command has been used to achieve per day summation in GB.  If you see in my search I created new field user_source by ```| eval user_source=user."-".source``` . The purpose of this eval is to simulate same value of user and source from chart command. 

mean while you can try this also for understanding of search.

index=abc sourcetype=xyz 
| timechart span=1d sum(gb) as gb by user WHERE max in top10


index=abc sourcetype=xyz 
| timechart span=1d sum(gb) as gb by source WHERE max in top10

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎06-11-2021 09:30 AM

Thank You but the join of two fields is correct because the user may have different value in different dates

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-11-2021 09:32 AM

Yes,

Please accept the answer to help community.

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...