Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- sort after limit row?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chengyu
Path Finder
03-18-2014
10:12 PM
Hi:
I'hope sort after limit row, i try head or sort limit or top...but fail, what can i do?
Thank you
sourcetype=xxx |eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | stats list(dstip) as dstip values(app) as app values(hostname) as hostname sum(bandwidth(MB)) as bandwidth(MB) by srcip| table srcip,dstip,app,hostname bandwidth(MB)|sort bandwidth(MB) desc
now:
srcip dstip ... bandwidth(MB)
1.1.1.1 2.2.2.2 5
3.3.3.3 5
4.4.4.4 5
....
10.10.10.10
hope modify to dstip limit 3:
srcip dstip ... bandwidth(MB)
1.1.1.1 2.2.2.2 5
3.3.3.3 5
4.4.4.4 5
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
03-19-2014
12:38 AM
I am not sure exactly what you want here, but you have some errors in your search. First ( is not a valid character in a field name, unless you enclose it in quotation marks (sometimes double quotes and sometimes single quotes). So I suggest that you use a different field name like bandwidthMB to avoid this problem.
sourcetype=xxx
|eval bandwidth=rcvdbyte+sentbyte
| eval bandwidthMB = round(bandwidth/1024/1024,2)
| stats list(dstip) as dstip values(app) as app values(hostname) as hostname sum(bandwidthMB) as bandwidthMB by srcip
| sort 10 -bandwidthMB
By adding the 10 into the sort command, you will only see the top 10 values of bandwidthMB
If you only want to see the top 3 values of dstip, you can do this:
sourcetype=xxx
| eval bandwidthMB=round((rcvdbyte+sentbyte )/1024/1024,2)
| stats count sum(bandwidthMB) as bandwidthMB by dstip app hostname srcip
| sort srcip -count
| stats list(dstip) as dstip values(app) as app values(hostname) as hostname sum(bandwidthMB) as bandwidthMB by srcip
| eval dstipList = mvjoin(dstip,";")
| eval dstipList = replace(dstipList,"^(.+?;.+?;.+?);.*","\1")
| eval dstip=split(dstipList,";")
| fields - dstipList
| sort 10 -bandwidthMB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
03-19-2014
12:38 AM
I am not sure exactly what you want here, but you have some errors in your search. First ( is not a valid character in a field name, unless you enclose it in quotation marks (sometimes double quotes and sometimes single quotes). So I suggest that you use a different field name like bandwidthMB to avoid this problem.
sourcetype=xxx
|eval bandwidth=rcvdbyte+sentbyte
| eval bandwidthMB = round(bandwidth/1024/1024,2)
| stats list(dstip) as dstip values(app) as app values(hostname) as hostname sum(bandwidthMB) as bandwidthMB by srcip
| sort 10 -bandwidthMB
By adding the 10 into the sort command, you will only see the top 10 values of bandwidthMB
If you only want to see the top 3 values of dstip, you can do this:
sourcetype=xxx
| eval bandwidthMB=round((rcvdbyte+sentbyte )/1024/1024,2)
| stats count sum(bandwidthMB) as bandwidthMB by dstip app hostname srcip
| sort srcip -count
| stats list(dstip) as dstip values(app) as app values(hostname) as hostname sum(bandwidthMB) as bandwidthMB by srcip
| eval dstipList = mvjoin(dstip,";")
| eval dstipList = replace(dstipList,"^(.+?;.+?;.+?);.*","\1")
| eval dstip=split(dstipList,";")
| fields - dstipList
| sort 10 -bandwidthMB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chengyu
Path Finder
03-19-2014
01:31 AM
Thank you so much.
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...
This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Now Playing: Splunk Education Summer Learning Premieres
It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
The Visibility Gap: Hybrid Networks and IT Services
The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...
