This makes it show the data as I want but it doesn't limit the results to 5 which is what I'm trying to do.
|top limit=5 bytesin,bytesout by src_ip
What is your actual goal? This query
|top limit=5 bytes_in,bytes_out | sort src_ip reads to me as: "Find the five tuples of [bytesin,bytesout] that occur most frequently in my data, and then sort by srcip." So putting aside the fact that the srcip field is not propagating through the
top command, I just want to make sure that's even matching your expectations.
I read this query
|top limit=5 bytes_in,bytes_out by src_ip as: "Find the five tuples of [bytesin,bytesout] that occur most frequently for each srcip value in my data" - so I would expect a maximum of five results PER srcip.
Do either of these describe what you actually want?
So my actual goal is to show top 5 bandwith by IP........ which I could be attacking completely wrong.
will this work?
| stats count by srcip,bytesout,bytesin | sort bytesout,bytes_in desc
And can I limit the results to 5?
Thanks for your help.
This is my full query:
index=smtfortigate earliest=-10m latest=now | stats count by srcip,bytesout,bytesin | sort bytesout,bytesin desc
Just to be really explicit, I'll translate this SPL to English:
| stats count by src_ip,bytes_out,bytes_in
That says: "For every tuple of [srcip, bytesin, bytes_out] - keep a running total of the number of times that tuple was seen."
If your data looked something like this:
src_ip=220.127.116.11 bytes_in=5 bytes_out=10 src_ip=18.104.22.168 bytes_in=50 bytes_out=100 src_ip=22.214.171.124 bytes_in=2 bytes_out=2 src_ip=126.96.36.199 bytes_in=2 bytes_out=2 src_ip=188.8.131.52 bytes_in=5 bytes_out=10 src_ip=184.108.40.206 bytes_in=5 bytes_out=10 src_ip=220.127.116.11 bytes_in=5 bytes_out=10
Here's what you'd get from that query:
src_ip=18.104.22.168 bytes_in=5 bytes_out=10 count=4 src_ip=22.214.171.124 bytes_in=50 bytes_out=100 count=1 src_ip=126.96.36.199 bytes_in=2 bytes_out=2 count=2
You could use that to calculate total bandwidth, but it would be less efficient than the method I'm suggesting in the comment below.
Here's what I'd do. I would take the sum of all bytesin and the sum of all bytesout per srcip, add those together to get totalbandwidth per srcip, sort descending by totalbandwidth, and limit to 5. That would look like this:
| stats sum(bytes_in) AS bytes_in, sum(bytes_out) AS bytes_out BY src_ip | eval total_bandwidth=bytes_in+bytes_out | sort 5 - total_bandwidth
Thanks that works well.
Why don't you put that in the answer so I can give you answer credit?