Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to add a sum in a top search?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
liusf
Explorer
01-14-2015
12:44 PM
Hello. I have this search:
* app="youtube" | top limit=20 srcip by app showperc=f countfield=total
of this log:
date=2015-01-14 time=08:32:10 srcip=192.168.1.200 app="Youtube" rcvdbyte=121
date=2015-01-14 time=08:38:10 srcip=192.168.1.200 app="Youtube" rcvdbyte=500
date=2015-01-14 time=08:32:10 srcip=192.168.1.200 app="Youtube" rcvdbyte=900
I need to add the total of bytes received (rcvdbyte) per IP in that App. I tried with stats sum before and after the top but the results are blank. Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-14-2015
01:10 PM
Give this a try
* app="youtube" | stats sum(rcvdbyte) as rcvdbytes count as total by app,srcip | sort app, -total| streamstats count as sno by app | where sno<21 | table app srcip total rcvdbytes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-14-2015
01:10 PM
Give this a try
* app="youtube" | stats sum(rcvdbyte) as rcvdbytes count as total by app,srcip | sort app, -total| streamstats count as sno by app | where sno<21 | table app srcip total rcvdbytes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
liusf
Explorer
01-14-2015
01:38 PM
It didn't work. rcvbytes = null
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-14-2015
01:59 PM
Field name was incorrect in my search, updated it now. Check back.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
liusf
Explorer
01-14-2015
02:20 PM
Thanks. It works now
Get Updates on the Splunk Community!
Splunk Observability as Code: From Zero to Dashboard
For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...
Shape the Future of Splunk: Join the Product Research Lab!
Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...
