Search for sum of application bytes uploaded

johefu · ‎04-07-2021

Hello All,

I am trying to get a total number of bytes/MB/GB uploaded per application in Splunk.

Can't seem to find the correct search, I did find file_size.

Here is the search that I started out with;

sourcetype=x index=x_method="Explicit Proxy"
| table app,category,activity, user
| dedup user
| stats count by app,

Gives me the number of users per app, need to number of bytes uploaded per app.

Then this search, not sure if the totals are correct or not.

sourcetype=x index=y access_method="Explicit Proxy" activity=upload
| stats sum(file_size) by app

Thanks!

richgalloway · ‎04-07-2021

There';s no need to dedup before counting. The distinct_count function will give the number of unique values in a given field.

sourcetype=x index=x method="Explicit Proxy"
| fields app,category,activity, user, bytes
| stats dc(user) as users, sum(bytes) as totalBytes by app

I'm not sure anyone here can say if the results of the second query are correct or not because we don't have access to your data.

---
If this reply helps you, Karma would be appreciated.

Join the Conversation