Splunk Search

Using Stats Command

rdelmark
Explorer

this search works great to provide me a list of hosts showing how much license usage over a 1 day period, but when I put it in a bar graph it does not work well because the stats command provides an OVERALL total as well as a total for each host, how to I remove the overall total and only show the total for the top 5 hosts.

index="_internal" source="*license_usage.log"
| rename h as host b as bytes
| eval my_splunk_server = splunk_server
| fields source mysourcetype host bytes pool originator my_splunk_server
| eval mbytes=((bytes/1024)/1024)
| stats sum(mbytes) as mbytes by host

Tags (2)
0 Karma

rdelmark
Explorer

Here are the results I get when I added the Head 5 and sort commands suggested. It is showing the overall TOTAL mybtes used for the 24hr period, as well as the mbtyes used for each host. When I then click on the results chart icon to turn it into a bar chart it looks bad because I am charting the Total mbytes used for the entire day when I only want a chart with the individual hosts.

host mbytes
39891.08222
scom01ms162 163.468506
dcmenprd1 163.271321
splk01as162 160.080222
sfp01spare 135.03406

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I as far as I know, the stats command, especially what your have written, should not be providing any OVERALL total. Would you mind sharing the final output (tabular) before chart command. Also to get top 5, you can sort by mbytes and use "| head 5" in the end of search.

0 Karma

bruceclarke
Contributor

I think something like this should work:

index="_internal" source="*license_usage.log" 
| rename h as host b as bytes
| eval my_splunk_server = splunk_server 
| fields source mysourcetype host bytes pool originator my_splunk_server 
| eval mbytes=((bytes/1024)/1024) 
| stats sum(mbytes) as mbytes by host
| sort -mbytes
| head 5
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...