Need to identify the top 50 groups

kteng2024 · ‎07-24-2017

index=abc source=license_usage.log type=usage | rex field=h "(ab2)(?P\w+[^\d+])" |search Group=kb01m OR Group=kb02r  | eval GB = b/1024/1024  | rename s AS source | stats sum(GB) AS "MB consumed" by Group

Above is the query ,but we have different groups like kb02m,kb02r,kb03m,kb03r,kb04m,kb04r......kb500m . How can i modify my query to find which group is consuming more MB . i would like have output of top 50 contributing group names along with MB they consumed.

cmerriman · ‎07-25-2017

 index=abc source=license_usage.log type=usage | rex field=h "(ab2)(?P\w+[^\d+])" |search Group=kb01m OR Group=kb02r  | eval GB = b/1024/1024  | rename s AS source | stats sum(GB) AS "MB consumed" by Group|sort 0 Group - "MB consumed" |streamstats count by Group|search count<=50|fields - count

something like this, maybe?

woodcock · ‎07-24-2017

Like this:

index=abc source=license_usage.log type=usage
| rex field=h "(ab2)(?<Group>\w+[^\d+])"
| regex Group="YourRegExForGroupsToConsiderHere"
| top limit=50 useother=f Group BY b

kteng2024 · ‎07-24-2017

thanks for the reply. But i am trying to make the group name dynamic because it is difficult to mention all the 500 groups . something like | Group=kb(\d)m OR Group=kb(\d)r

and it should list the top 50 groups .

woodcock · ‎07-25-2017

I have updated my answer to include all requirements.

Need to identify the top 50 groups

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Need to identify the top 50 groups

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR