Splunk Search

Looking for a way to create better tables for large file

bcarlson
New Member

sourcetype="AAA_CDR" bob.com Total_Bytes > 0 | convert timeformat="%j" ctime(Event_Time) AS day | table User, day, Total_Bytes

My Splunk search above is pulling the data that I need, but the table is getting huge.(over 2 mil rows and counting. I am looking for recommendations on ways to table the data differently. My goal at the end of this is to create a table that shows the number of days a user used data and the total number of bytes they used for a customer time range. Any ideas? A small sample of the data is below.
thks
bob

User Day (converted to Julian) Total Bytes Used
1 100 1024
2 100 1024
3 100 1024
4 100 1024
5 100 1024
6 100 1024
7 100 1024
8 100 1024
9 100 1024
1 101 2048
2 101 2048
3 101 2048
4 101 2048
5 101 2048
6 101 2048
7 101 2048
8 101 2048
9 101 2048
1 102 3072
2 102 3072
3 102 3072
4 102 3072
5 102 3072
6 102 3072
7 102 3072
8 102 3072
9 102 3072

Tags (5)
0 Karma
1 Solution

chris
Motivator

Have a look at the stats command, you could try something like:

sourcetype="AAA_CDR" bob.com Total_Bytes > 0 | convert timeformat="%j" ctime(Event_Time) AS day |  stats dc(day) sum(Total_Bytes) by User

View solution in original post

chris
Motivator

Have a look at the stats command, you could try something like:

sourcetype="AAA_CDR" bob.com Total_Bytes > 0 | convert timeformat="%j" ctime(Event_Time) AS day |  stats dc(day) sum(Total_Bytes) by User

bcarlson
New Member

Chris,
Thanks a bunch the command you suggested worked perfectly!
Bob

0 Karma

chris
Motivator

Good luck let me know if it does not work/isn't what you wanted

0 Karma

bcarlson
New Member

Chris,

thanks, I am running it and will see how it does. Have a great weekend!
bob

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...