Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using Stats Command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using Stats Command
this search works great to provide me a list of hosts showing how much license usage over a 1 day period, but when I put it in a bar graph it does not work well because the stats command provides an OVERALL total as well as a total for each host, how to I remove the overall total and only show the total for the top 5 hosts.
index="_internal" source="*license_usage.log"
| rename h as host b as bytes
| eval my_splunk_server = splunk_server
| fields source mysourcetype host bytes pool originator my_splunk_server
| eval mbytes=((bytes/1024)/1024)
| stats sum(mbytes) as mbytes by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are the results I get when I added the Head 5 and sort commands suggested. It is showing the overall TOTAL mybtes used for the 24hr period, as well as the mbtyes used for each host. When I then click on the results chart icon to turn it into a bar chart it looks bad because I am charting the Total mbytes used for the entire day when I only want a chart with the individual hosts.
host mbytes
39891.08222
scom01ms162 163.468506
dcmenprd1 163.271321
splk01as162 160.080222
sfp01spare 135.03406
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I as far as I know, the stats command, especially what your have written, should not be providing any OVERALL total. Would you mind sharing the final output (tabular) before chart command. Also to get top 5, you can sort by mbytes and use "| head 5" in the end of search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think something like this should work:
index="_internal" source="*license_usage.log"
| rename h as host b as bytes
| eval my_splunk_server = splunk_server
| fields source mysourcetype host bytes pool originator my_splunk_server
| eval mbytes=((bytes/1024)/1024)
| stats sum(mbytes) as mbytes by host
| sort -mbytes
| head 5
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
