Solved: Table showing highest usage by host where usage is...

jeck11 · ‎06-11-2015

Here is the search I'm using:

index="_internal" source="*metrics.log" per_host_thruput series NOT splunk |  eval kb = round(kb,0) | stats sum(kb) by series | sort sum(kb) desc | rex field=series "(?<series>.*).domain"

I'd like the column labeled sum(kb) to be comma separated, but the couple ways I've tried will not work because it's viewed as summing.

richgalloway · ‎06-11-2015

Try this:

index="_internal" source="*metrics.log" per_host_thruput series NOT splunk | eval kb = round(kb,0) | stats sum(kb) as kbSum by series | sort kbSum desc | fieldformat kbSum=tostring(kbSum, "commas") | rex field=series "(?<series>.*).domain"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-11-2015

Try this:

index="_internal" source="*metrics.log" per_host_thruput series NOT splunk | eval kb = round(kb,0) | stats sum(kb) as kbSum by series | sort kbSum desc | fieldformat kbSum=tostring(kbSum, "commas") | rex field=series "(?<series>.*).domain"

---
If this reply helps you, Karma would be appreciated.

jeck11 · ‎06-11-2015

Thank you Rich! That worked perfectly.

richgalloway · ‎06-11-2015

You're welcome. Please accept the answer.

---
If this reply helps you, Karma would be appreciated.

Table showing highest usage by host where usage is comma separated

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

Are you a member of the Splunk Community?

Table showing highest usage by host where usage is comma separated

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases