Splunk Search

How to get top 2 MB users per website?

jrodriguezap
Contributor

Hi!
That maybe someone has been through this. I have the following table as a result of search:

**website**      **user**        **MB**
  google.com      jperez          125.71
  facebook.com    smartinez       116.90
  facebook.com    jperez          92.45
  facebook.com    asevalloz       71.09
  twitter.com     jperez          63.85
  google.com      marevalo        43.85
  google.com      arios           23.85
  twitter.com     lgutierrez      13.85
  facebook.com    asevalloz       11.09

And what I would like is to get the 2 users that generate more MB per website.

**website**      **user**        **MB**
  google.com      jperez          125.71
  google.com      marevalo        43.85
  facebook.com    smartinez       116.90
  facebook.com    jperez          92.45
  twitter.com     jperez          63.85
  twitter.com     lgutierrez      13.85

I tried with: search...| top 3 MB website by user
But it turned out, I would appreciate it much
:)

regards

Tags (3)
1 Solution

lguinn2
Legend

Try this - let me assume that your events contain the following fields:

user website MB

and that each event represents a TCP hit or something similar.

yoursearchhere
| stats sum(MB) as MB by website user
| sort website -MB
| eval counter = 1
| streamstats sum(counter) as seqNo by website
| where seqNo < 3
| fields - counter seqNo

The streamstats command generates a sequence number, which resets for each website. Then the where eliminates all but the top 2 users for each website.

View solution in original post

lguinn2
Legend

Try this - let me assume that your events contain the following fields:

user website MB

and that each event represents a TCP hit or something similar.

yoursearchhere
| stats sum(MB) as MB by website user
| sort website -MB
| eval counter = 1
| streamstats sum(counter) as seqNo by website
| where seqNo < 3
| fields - counter seqNo

The streamstats command generates a sequence number, which resets for each website. Then the where eliminates all but the top 2 users for each website.

jrodriguezap
Contributor

Excellent lguinn!
It was just the logic I had in mind but did not know how to make, I really appreciate it!
:)

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...