Solved: Looking for a way to create better tables for larg...

bcarlson · ‎05-03-2013

sourcetype="AAA_CDR" bob.com Total_Bytes > 0 | convert timeformat="%j" ctime(Event_Time) AS day | table User, day, Total_Bytes

My Splunk search above is pulling the data that I need, but the table is getting huge.(over 2 mil rows and counting. I am looking for recommendations on ways to table the data differently. My goal at the end of this is to create a table that shows the number of days a user used data and the total number of bytes they used for a customer time range. Any ideas? A small sample of the data is below.
thks
bob

User Day (converted to Julian) Total Bytes Used
1 100 1024
2 100 1024
3 100 1024
4 100 1024
5 100 1024
6 100 1024
7 100 1024
8 100 1024
9 100 1024
1 101 2048
2 101 2048
3 101 2048
4 101 2048
5 101 2048
6 101 2048
7 101 2048
8 101 2048
9 101 2048
1 102 3072
2 102 3072
3 102 3072
4 102 3072
5 102 3072
6 102 3072
7 102 3072
8 102 3072
9 102 3072

chris · ‎05-03-2013

Have a look at the stats command, you could try something like:

sourcetype="AAA_CDR" bob.com Total_Bytes > 0 | convert timeformat="%j" ctime(Event_Time) AS day |  stats dc(day) sum(Total_Bytes) by User

View solution in original post

chris · ‎05-03-2013

Have a look at the stats command, you could try something like:

sourcetype="AAA_CDR" bob.com Total_Bytes > 0 | convert timeformat="%j" ctime(Event_Time) AS day |  stats dc(day) sum(Total_Bytes) by User

bcarlson · ‎05-06-2013

Chris,
Thanks a bunch the command you suggested worked perfectly!
Bob

chris · ‎05-03-2013

Good luck let me know if it does not work/isn't what you wanted

bcarlson · ‎05-03-2013

Chris,

thanks, I am running it and will see how it does. Have a great weekend!
bob

Looking for a way to create better tables for large file

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life