Splunk Search

How to get top 10 users by usage per day for last 30 days

vrmandadi
Builder

I have an index which gives user information of how much GB of data they used and from what source .I would like to get the top 10 users based on the GB used per day for the last 30 days in a report .How can a create a report which will show date top 10 users , GB used and the source followed by the next date with top 10 users,GB used and source 

The below search gives the top 10 users but I want to have it by each day for last 30 days 

 

index=abc sourcetype=xyz  | stats sum(gb) as gb by user source
| sort - gb
| head 10

Labels (3)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vrmandadi =

Can you please try this?

 

index=abc sourcetype=xyz | eval user_source=user."-".source | timechart span=1d sum(gb) as gb by user_source WHERE max in top10

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

View solution in original post

Tags (2)

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vrmandadi =

Can you please try this?

 

index=abc sourcetype=xyz | eval user_source=user."-".source | timechart span=1d sum(gb) as gb by user_source WHERE max in top10

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

Tags (2)

vrmandadi
Builder

@kamlesh_vaghela  .Thank you fro you reply . the search you provided  which has  by user_source ..but my search has user and source as separate fields  not as one field like user_source and also the results are not sorting in highest order

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vrmandadi 

In my suggested search, the timechart command has been used to achieve per day summation in GB.  If you see in my search I created new field user_source by ```| eval user_source=user."-".source``` . The purpose of this eval is to simulate same value of user and source from chart command. 

mean while you can try this also for understanding of search.

index=abc sourcetype=xyz 
| timechart span=1d sum(gb) as gb by user WHERE max in top10


index=abc sourcetype=xyz 
| timechart span=1d sum(gb) as gb by source WHERE max in top10

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

vrmandadi
Builder

Thank You but the join of two fields is correct because the user may have different value in different dates

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Yes,

Please accept the answer to help community.

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...