Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looking for a way to create better tables for large file

bcarlson
New Member
‎05-03-2013 02:24 PM

sourcetype="AAA_CDR" bob.com Total_Bytes > 0 | convert timeformat="%j" ctime(Event_Time) AS day | table User, day, Total_Bytes

My Splunk search above is pulling the data that I need, but the table is getting huge.(over 2 mil rows and counting. I am looking for recommendations on ways to table the data differently. My goal at the end of this is to create a table that shows the number of days a user used data and the total number of bytes they used for a customer time range. Any ideas? A small sample of the data is below.
thks
bob

User Day (converted to Julian) Total Bytes Used
1 100 1024
2 100 1024
3 100 1024
4 100 1024
5 100 1024
6 100 1024
7 100 1024
8 100 1024
9 100 1024
1 101 2048
2 101 2048
3 101 2048
4 101 2048
5 101 2048
6 101 2048
7 101 2048
8 101 2048
9 101 2048
1 102 3072
2 102 3072
3 102 3072
4 102 3072
5 102 3072
6 102 3072
7 102 3072
8 102 3072
9 102 3072

Tags (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎05-03-2013 03:01 PM

Have a look at the stats command, you could try something like:

sourcetype="AAA_CDR" bob.com Total_Bytes > 0 | convert timeformat="%j" ctime(Event_Time) AS day |  stats dc(day) sum(Total_Bytes) by User

View solution in original post

Reply
Solved! Jump to solution
Solution

chris
Motivator
‎05-03-2013 03:01 PM

Have a look at the stats command, you could try something like:

sourcetype="AAA_CDR" bob.com Total_Bytes > 0 | convert timeformat="%j" ctime(Event_Time) AS day |  stats dc(day) sum(Total_Bytes) by User
Reply
Solved! Jump to solution

bcarlson
New Member
‎05-06-2013 05:46 AM

Chris,
Thanks a bunch the command you suggested worked perfectly!
Bob

0 Karma
Reply
Solved! Jump to solution

chris
Motivator
‎05-03-2013 03:05 PM

Good luck let me know if it does not work/isn't what you wanted

0 Karma
Reply
Solved! Jump to solution

bcarlson
New Member
‎05-03-2013 03:04 PM

Chris,

thanks, I am running it and will see how it does. Have a great weekend!
bob

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...