So basically what i need is 3 columns which contains the top 10 visited URL's with count sorted by highest bandwidth used by them.
URL | COUNT | SUM(Bandwidth)
any help would be greatly appreciated..new to splunk.
Try this
index=weblogs [search index=weblogs | top 10 url | fields url ] | stats count sum(bandwidth) as sum by url
Let's avoid subsearches as much as possible. Maybe this:
index=weblogs | fields url bandwidth | stats count sum(bandwidth) as bw by url | top 10 bw
You could also sort after the stats and do a | head 10 if that top is cutting out your fields.
Thank Esix, but this search just shows the top 10 urls by bandwidth used, what i want is top 10 url's visited and then sort those 10 url's by bandwidth used.
any way to do it without using subsearches?
Using Esix's search change | top 10 bw
to | top 10 bw url
Try this
index=weblogs [search index=weblogs | top 10 url | fields url ] | stats count sum(bandwidth) as sum by url
Thanks a lot @sundareshr, works like a charm but the only problem is that i couldn't get the count field in my final result.
I tried adding it using fields but i get a blank column without values.
here is my search:
index=weblog [search index=weblog | top 10 url |fields url] |stats sum(bandwidth) by url | sort -sum(bandwidth) | fields url, sum(bandwidth),count
change your stats
command to
.... |stats count sum(bandwidth) by url |
To @esix point, its is best to avoid subsearches. I should have thought of that. You can change you search to
index=weblog | stats count sum(bandwidth) as bandwidth | sort count | head 10