- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- sort after limit row?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi:
I'hope sort after limit row, i try head or sort limit or top...but fail, what can i do?
Thank you
sourcetype=xxx |eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | stats list(dstip) as dstip values(app) as app values(hostname) as hostname sum(bandwidth(MB)) as bandwidth(MB) by srcip| table srcip,dstip,app,hostname bandwidth(MB)|sort bandwidth(MB) desc
now:
srcip dstip ... bandwidth(MB)
1.1.1.1 2.2.2.2 5
3.3.3.3 5
4.4.4.4 5
....
10.10.10.10
hope modify to dstip limit 3:
srcip dstip ... bandwidth(MB)
1.1.1.1 2.2.2.2 5
3.3.3.3 5
4.4.4.4 5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure exactly what you want here, but you have some errors in your search. First ( is not a valid character in a field name, unless you enclose it in quotation marks (sometimes double quotes and sometimes single quotes). So I suggest that you use a different field name like bandwidthMB to avoid this problem.
sourcetype=xxx
|eval bandwidth=rcvdbyte+sentbyte
| eval bandwidthMB = round(bandwidth/1024/1024,2)
| stats list(dstip) as dstip values(app) as app values(hostname) as hostname sum(bandwidthMB) as bandwidthMB by srcip
| sort 10 -bandwidthMB
By adding the 10 into the sort command, you will only see the top 10 values of bandwidthMB
If you only want to see the top 3 values of dstip, you can do this:
sourcetype=xxx
| eval bandwidthMB=round((rcvdbyte+sentbyte )/1024/1024,2)
| stats count sum(bandwidthMB) as bandwidthMB by dstip app hostname srcip
| sort srcip -count
| stats list(dstip) as dstip values(app) as app values(hostname) as hostname sum(bandwidthMB) as bandwidthMB by srcip
| eval dstipList = mvjoin(dstip,";")
| eval dstipList = replace(dstipList,"^(.+?;.+?;.+?);.*","\1")
| eval dstip=split(dstipList,";")
| fields - dstipList
| sort 10 -bandwidthMB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure exactly what you want here, but you have some errors in your search. First ( is not a valid character in a field name, unless you enclose it in quotation marks (sometimes double quotes and sometimes single quotes). So I suggest that you use a different field name like bandwidthMB to avoid this problem.
sourcetype=xxx
|eval bandwidth=rcvdbyte+sentbyte
| eval bandwidthMB = round(bandwidth/1024/1024,2)
| stats list(dstip) as dstip values(app) as app values(hostname) as hostname sum(bandwidthMB) as bandwidthMB by srcip
| sort 10 -bandwidthMB
By adding the 10 into the sort command, you will only see the top 10 values of bandwidthMB
If you only want to see the top 3 values of dstip, you can do this:
sourcetype=xxx
| eval bandwidthMB=round((rcvdbyte+sentbyte )/1024/1024,2)
| stats count sum(bandwidthMB) as bandwidthMB by dstip app hostname srcip
| sort srcip -count
| stats list(dstip) as dstip values(app) as app values(hostname) as hostname sum(bandwidthMB) as bandwidthMB by srcip
| eval dstipList = mvjoin(dstip,";")
| eval dstipList = replace(dstipList,"^(.+?;.+?;.+?);.*","\1")
| eval dstip=split(dstipList,";")
| fields - dstipList
| sort 10 -bandwidthMB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much.
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
