Solved: Re: top senders by number of attachments

moayadalghamdi · ‎02-21-2021

hello splunker !

in splunk, i want to print top email sender by the number of attachment, my command is:

index=emaileventtype="email-events" action=delivered | top 10 sender by AttachCount

but it produces more fields and they aren't sorted, like this:

and as you can see that it produced more than 10 values

i've also tried:

index=emaileventtype="email-events" action=delivered | top 10 sender by AttachCount
| stats sum(AttachCount) as AttachCount by sender
| top 10 AttachCount

and here's the result:

please help me, i need two fields only, top sender by AttachCount

Thanks

ITWhisperer · ‎02-21-2021

Your by clause on the top command is grouping then getting the top within each group, which doesn't sound like what you are after. Try something like this

index=emaileventtype="email-events" action=delivered 
| stats sum(AttachCount) as AttachCount by sender
| sort 10 -AttachCount

View solution in original post

ITWhisperer · ‎02-21-2021

Your by clause on the top command is grouping then getting the top within each group, which doesn't sound like what you are after. Try something like this

index=emaileventtype="email-events" action=delivered 
| stats sum(AttachCount) as AttachCount by sender
| sort 10 -AttachCount

top senders by number of attachments

count

fields

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...