Splunk Search

Sum of most used application in bytes when I have multiple applications

ddong
Engager

Hi everyone, I'm pretty new to Splunk (just started a little more than 2 weeks ago).

Currently I'm making a panel that would display columns with the following: User - Most Data Consumed Application - Most Data Usage from Application in MB - Data Used in MB. So for example, I have the following - John Smith - youtube.com - 123523 MB - 548432 MB

I'm having trouble figuring out how to get Splunk to compute the most data consumed application and display it with the application in my columns. I've only been able to create the 1st and 4th column, by using stats.

My current code is:
... | eval mb=(bytes/1024)/1024 | rename user AS "User" | stats sum(mb) AS "Data Used in MB" by "User" | sort -num("Data Used in MB")

I was thinking of adding another calculation to the stats command, but I can't think of a way to do this off the top of my head.

Any help would be appreciated.

Thank you,
Daniel

Tags (1)
0 Karma

sundareshr
Legend

Try this

....  | eval mb=(bytes/1024)/1024 | rename user AS "User"  | chart sum(mb) AS "Data Used in MB" over User by Application | addtotals | sort -Total
0 Karma

ddong
Engager

This works quite nice, but instead of just displaying the most used one, it displays all the applications I have in a table. Furthermore, it's not really what I'm looking for table structure wise:
User - application 1 - application 2 - application 3 - Total
jsmith - 0.12315MB - 0.16684MB - 4.12562MB - 4.41561MB

I want to have the table structured like this:
User - Data in MB - Application - Total
jsmith - 4.12562MB - application 3 - 4.41561

Thank you for the attempt though 🙂

Edit: made a mistake earlier in my search query and results became different after I took another look. So the results above are what I'm currently seeing.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...