Hello All - I have the following search query with following search results below. What I like to do is to limit the Destinations to about 5 or 10. Currently with popular categories - I get double digit Destinations. Thanks for the help.
Query:
index=summary earliest="-1d@d" latest="-1d@d+1h" | fields category, total_bytes, cs_uri_authority | eval domain=lower(cs_uri_authority) | stats sum(eval(round(total_bytes/1024/1024,2))) as b by category, domain | sort -b | stats sum(b) as CategoryMBytes, list(domain) as Destinations, list(b) as DestinationMBytes by category | eventstats sum(CategoryMBytes) as TotalMBytes | eval PercentOfTotal = 100 * CategoryMBytes / TotalMBytes . "%" | sort -CategoryMBytes | rename category as Category | table Category, CategoryMBytes, PercentOfTotal, Destinations, DestinationMBytes | head 10
Result:
Category CategoryMBytes PercentOfTotal Destinations DestinationMBytes
-----------------------------------------------------------------------------------------------
Audio/Video Clips 500 26.005% ytimg.com 300
youtube.com 82.09
go.com 10
123.com 10
blahblah.com 10
wjla.com 10
....
News/Media 473 22.5% nytimes.com 34.18
washingtonpost.com 10
... View more