bucket _time span=1d| eval _time = strftime(_time,"%b %d, %Y")| stats sum(eval(Bytes_Written/(1024*1024))) as MBytes_Moved, values(User_Name), values(MBytes_Moved) by _time
Above is my current search, but only shows the total MB moved by all users. I want to show total MB moved, per user, for the day.
What I am looking for would be:
Date MBytes_Moved User
Sept 20, 2016 2347 john.smith
4675 john.wagner
534 mike.smith
1215 pablo.johnson
Sept 21, 2016 953 john.smith
3246 lonnie.murray
2312 max.effort
Sept 22, 2016 2347 jason.adams
9087 john.doe
5876 william.shelton
Thanks!
Try this
your base search | bucket _time span=1d| eval _time = strftime(_time,"%b %d, %Y")| stats sum(Bytes_Written) as MBytes_Moved by _time User_Name | eval MBytes_Moved=MBytes_Moved/(1024*1024) | stats sum(MBytes_Moved) as MBytes_Moved values(User_Name) values(MBytes_Moved) by _time
Updated#2 for File_Moved column
your base search | bucket _time span=1d| eval _time = strftime(_time,"%b %d, %Y")| stats sum(Bytes_Written) as MBytes_Moved count as File_Moved by _time User_Name | eval MBytes_Moved=MBytes_Moved/(1024*1024) | stats sum(MBytes_Moved) as MBytes_Moved list(User_Name) list(MBytes_Moved) list(File_Moved) as File_Moved by _time
bucket _time span=1d| eval _time = strftime(_time,"%b %d, %Y")| stats sum(eval(Bytes_Written/(1024*1024))) as MBytes_Moved by _time User_Name
Try this
your base search | bucket _time span=1d| eval _time = strftime(_time,"%b %d, %Y")| stats sum(Bytes_Written) as MBytes_Moved by _time User_Name | eval MBytes_Moved=MBytes_Moved/(1024*1024) | stats sum(MBytes_Moved) as MBytes_Moved values(User_Name) values(MBytes_Moved) by _time
Updated#2 for File_Moved column
your base search | bucket _time span=1d| eval _time = strftime(_time,"%b %d, %Y")| stats sum(Bytes_Written) as MBytes_Moved count as File_Moved by _time User_Name | eval MBytes_Moved=MBytes_Moved/(1024*1024) | stats sum(MBytes_Moved) as MBytes_Moved list(User_Name) list(MBytes_Moved) list(File_Moved) as File_Moved by _time
Ahh we're close! Nice work and thank you! Last but not least, I forgot to include my "Files Moved" column in all of that. This is how I achieved "Files Moved" before, how could we append this?
stats sum(eval(Bytes_Written/(1024*1024))) as MBytes_Moved, Count(_time) as Files_Moved by User_Name
See the updated answer...
That is a link to the screenshot of my results, we are so close, thanks for all the help.
The values aggregation function remove duplicate values and there could very well be duplicate/same count of files moved. Instead of values function, use list function instead. I've updated the answer.
He shoots he scores! Thanks so much, you're a wizard.