Using Stats Command

rdelmark · ‎12-16-2013

this search works great to provide me a list of hosts showing how much license usage over a 1 day period, but when I put it in a bar graph it does not work well because the stats command provides an OVERALL total as well as a total for each host, how to I remove the overall total and only show the total for the top 5 hosts.

rdelmark · ‎12-17-2013

Here are the results I get when I added the Head 5 and sort commands suggested. It is showing the overall TOTAL mybtes used for the 24hr period, as well as the mbtyes used for each host. When I then click on the results chart icon to turn it into a bar chart it looks bad because I am charting the Total mbytes used for the entire day when I only want a chart with the individual hosts.

host mbytes
39891.08222
scom01ms162 163.468506
dcmenprd1 163.271321
splk01as162 160.080222
sfp01spare 135.03406

somesoni2 · ‎12-16-2013

I as far as I know, the stats command, especially what your have written, should not be providing any OVERALL total. Would you mind sharing the final output (tabular) before chart command. Also to get top 5, you can sort by mbytes and use "| head 5" in the end of search.

bruceclarke · ‎12-16-2013

I think something like this should work:

index="_internal" source="*license_usage.log" 
| rename h as host b as bytes
| eval my_splunk_server = splunk_server 
| fields source mysourcetype host bytes pool originator my_splunk_server 
| eval mbytes=((bytes/1024)/1024) 
| stats sum(mbytes) as mbytes by host
| sort -mbytes
| head 5

Using Stats Command

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor