Solved: Syntax for 'top x application by usage per source ...

ahmadsaadwarrai · ‎05-30-2019

I have raw search:

| ess eaddr=172.20.8.60:9200 index=nuage_dpi_flowstats-* tsfield=timestamp query="EnterpriseName=Lismore Diocese"
| eval _time=strftime(_time/1000, "%Y-%m-%d %H:%M:%S")
| stats sum(TotalMB) as "Total(MB)" by DstIp, L7ClassEnhanced, DestinationNSG
| search NOT DestinationNSG=ULT1_NSGX

How do I add top parameters, saying top x applications based on usage per source IP.

ahmadsaadwarrai · ‎05-30-2019

I am able to do it using below search:

| ess eaddr=172.20.8.60:9200 index=nuage_dpi_flowstats-* tsfield=timestamp query="EnterpriseName=Lismore Diocese"
| eval _time=strftime(_time/1000, "%Y-%m-%d %H:%M:%S")
| stats sum(TotalMB) as "Total(MB)" by DstIp, L7ClassEnhanced, DestinationNSG
| sort DstIp -"Total(MB)"
| eval counter = 1
| streamstats sum(counter) as seqNo by DstIp
| where seqNo < 5
| fields - counter seqNo
| search NOT DestinationNSG=ULT1_NSGX1

View solution in original post

darshildave · ‎05-31-2019

| stats values('Total(MB)') by source_ip | sort 0 - 'Total(MB)' | head limit=x

Here 'Total(MB)' is the usage and limit returns first x records from results.

ahmadsaadwarrai · ‎05-30-2019

I am able to do it using below search:

| ess eaddr=172.20.8.60:9200 index=nuage_dpi_flowstats-* tsfield=timestamp query="EnterpriseName=Lismore Diocese"
| eval _time=strftime(_time/1000, "%Y-%m-%d %H:%M:%S")
| stats sum(TotalMB) as "Total(MB)" by DstIp, L7ClassEnhanced, DestinationNSG
| sort DstIp -"Total(MB)"
| eval counter = 1
| streamstats sum(counter) as seqNo by DstIp
| where seqNo < 5
| fields - counter seqNo
| search NOT DestinationNSG=ULT1_NSGX1

nabeel652 · ‎05-30-2019

<your search> | top 10 application by sourceIP

Syntax for 'top x application by usage per source ip'

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?