Re: Need to identify the top 50 groups

kteng2024 · ‎07-24-2017

index=abc source=license_usage.log type=usage | rex field=h "(ab2)(?P\w+[^\d+])" |search Group=kb01m OR Group=kb02r  | eval GB = b/1024/1024  | rename s AS source | stats sum(GB) AS "MB consumed" by Group

Above is the query ,but we have different groups like kb02m,kb02r,kb03m,kb03r,kb04m,kb04r......kb500m . How can i modify my query to find which group is consuming more MB . i would like have output of top 50 contributing group names along with MB they consumed.

cmerriman · ‎07-25-2017

 index=abc source=license_usage.log type=usage | rex field=h "(ab2)(?P\w+[^\d+])" |search Group=kb01m OR Group=kb02r  | eval GB = b/1024/1024  | rename s AS source | stats sum(GB) AS "MB consumed" by Group|sort 0 Group - "MB consumed" |streamstats count by Group|search count<=50|fields - count

something like this, maybe?

woodcock · ‎07-24-2017

Like this:

index=abc source=license_usage.log type=usage
| rex field=h "(ab2)(?<Group>\w+[^\d+])"
| regex Group="YourRegExForGroupsToConsiderHere"
| top limit=50 useother=f Group BY b

kteng2024 · ‎07-24-2017

thanks for the reply. But i am trying to make the group name dynamic because it is difficult to mention all the 500 groups . something like | Group=kb(\d)m OR Group=kb(\d)r

and it should list the top 50 groups .

woodcock · ‎07-25-2017

I have updated my answer to include all requirements.

Need to identify the top 50 groups

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Need to identify the top 50 groups

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!