Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Syntax for 'top x application by usage per source ip'

ahmadsaadwarrai
Explorer
‎05-30-2019 06:07 PM

I have raw search:

| ess eaddr=172.20.8.60:9200 index=nuage_dpi_flowstats-* tsfield=timestamp query="EnterpriseName=Lismore Diocese"
| eval _time=strftime(_time/1000, "%Y-%m-%d %H:%M:%S")
| stats sum(TotalMB) as "Total(MB)" by DstIp, L7ClassEnhanced, DestinationNSG
| search NOT DestinationNSG=ULT1_NSGX

How do I add top parameters, saying top x applications based on usage per source IP.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ahmadsaadwarrai
Explorer
‎05-30-2019 09:14 PM

I am able to do it using below search:

| ess eaddr=172.20.8.60:9200 index=nuage_dpi_flowstats-* tsfield=timestamp query="EnterpriseName=Lismore Diocese"
| eval _time=strftime(_time/1000, "%Y-%m-%d %H:%M:%S")
| stats sum(TotalMB) as "Total(MB)" by DstIp, L7ClassEnhanced, DestinationNSG
| sort DstIp -"Total(MB)"
| eval counter = 1
| streamstats sum(counter) as seqNo by DstIp
| where seqNo < 5
| fields - counter seqNo
| search NOT DestinationNSG=ULT1_NSGX1

View solution in original post

0 Karma
Reply
Solved! Jump to solution

darshildave
Explorer
‎05-31-2019 01:32 AM 
| stats values('Total(MB)') by source_ip | sort 0 - 'Total(MB)' | head limit=x

Here 'Total(MB)' is the usage and limit returns first x records from results.

0 Karma
Reply
Solved! Jump to solution
Solution

ahmadsaadwarrai
Explorer
‎05-30-2019 09:14 PM

I am able to do it using below search:

| ess eaddr=172.20.8.60:9200 index=nuage_dpi_flowstats-* tsfield=timestamp query="EnterpriseName=Lismore Diocese"
| eval _time=strftime(_time/1000, "%Y-%m-%d %H:%M:%S")
| stats sum(TotalMB) as "Total(MB)" by DstIp, L7ClassEnhanced, DestinationNSG
| sort DstIp -"Total(MB)"
| eval counter = 1
| streamstats sum(counter) as seqNo by DstIp
| where seqNo < 5
| fields - counter seqNo
| search NOT DestinationNSG=ULT1_NSGX1

0 Karma
Reply
Solved! Jump to solution

nabeel652
Builder
‎05-30-2019 07:49 PM 
<your search> | top 10 application by sourceIP
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...