Splunk Search

How to get top 2 MB users per website?

Communicator

Hi!
That maybe someone has been through this. I have the following table as a result of search:

**website**      **user**        **MB**
  google.com      jperez          125.71
  facebook.com    smartinez       116.90
  facebook.com    jperez          92.45
  facebook.com    asevalloz       71.09
  twitter.com     jperez          63.85
  google.com      marevalo        43.85
  google.com      arios           23.85
  twitter.com     lgutierrez      13.85
  facebook.com    asevalloz       11.09

And what I would like is to get the 2 users that generate more MB per website.

**website**      **user**        **MB**
  google.com      jperez          125.71
  google.com      marevalo        43.85
  facebook.com    smartinez       116.90
  facebook.com    jperez          92.45
  twitter.com     jperez          63.85
  twitter.com     lgutierrez      13.85

I tried with: search...| top 3 MB website by user
But it turned out, I would appreciate it much
:)

regards

Tags (3)
1 Solution

Legend

Try this - let me assume that your events contain the following fields:

user website MB

and that each event represents a TCP hit or something similar.

yoursearchhere
| stats sum(MB) as MB by website user
| sort website -MB
| eval counter = 1
| streamstats sum(counter) as seqNo by website
| where seqNo < 3
| fields - counter seqNo

The streamstats command generates a sequence number, which resets for each website. Then the where eliminates all but the top 2 users for each website.

View solution in original post

Legend

Try this - let me assume that your events contain the following fields:

user website MB

and that each event represents a TCP hit or something similar.

yoursearchhere
| stats sum(MB) as MB by website user
| sort website -MB
| eval counter = 1
| streamstats sum(counter) as seqNo by website
| where seqNo < 3
| fields - counter seqNo

The streamstats command generates a sequence number, which resets for each website. Then the where eliminates all but the top 2 users for each website.

View solution in original post

Communicator

Excellent lguinn!
It was just the logic I had in mind but did not know how to make, I really appreciate it!
:)

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!