Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Rewriting a search from using top to a sum statement

timbCFCA
Path Finder
‎02-11-2014 07:53 AM

I'm building a daily history for one of my log sources. I'm currently using the count of events via the top command to dictate the order and values as shown below. 

index=foreweb ......  | top TopLevelHost by c_ip limit=10 | stats  list(TopLevelHost) list(count) by c_ip | sort list(count) desc

This works well. I also have a field sc_bytes present in each entry. I'd like to replace the logic for top TopLevelHost by c_ip limit=10 with something that'll work based on the sum of sc_bytes.

What are my options?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-11-2014 08:19 AM

Try this

index=foreweb ...| stats sum(sc_bytes) as sum by TopLevelHost, c_ip | sort -sum | streamstats count as sno by c_ip | where sno < 11 | stats  list(TopLevelHost) list(sum) by c_ip | sort list(sum) desc

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-11-2014 08:19 AM

Try this

index=foreweb ...| stats sum(sc_bytes) as sum by TopLevelHost, c_ip | sort -sum | streamstats count as sno by c_ip | where sno < 11 | stats  list(TopLevelHost) list(sum) by c_ip | sort list(sum) desc
Reply
Solved! Jump to solution

timbCFCA
Path Finder
‎02-11-2014 11:08 AM

Many thanks. I'd also like to be able to convert the sum fields from bytes to megabytes. Can you provide an example of how to do so? I'd assume an eval and dividing by 1048576 would be all that is required but I'm not sure where to place it.

0 Karma
Reply
Solved! Jump to solution

timbCFCA
Path Finder
‎02-11-2014 08:07 AM

@somesoni2 - I want the logic to work exactly the same as outlined in the top command, only based off the sum of the sc_bytes instead of the count of events for a given c_ip. I guess that it'd need to be separated by c_ip but I'm not really sure.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-11-2014 08:02 AM

what is the condition you want to put based on sc_bytes sum?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...