Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I convert this search into a tstats search leveraging the web datamodel?

jaywilwk
Engager
‎07-26-2016 01:06 PM

Here's the search:

index=proxysg sourcetype=proxysg | replace *pandora* with www.pandora.com in url | replace *facebook* with www.facebook.com in url | stats sum(bytes_in) as MB by url | eval MB=round(MB/1024/1024,2) | sort -MB

0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎07-26-2016 01:33 PM

If your data model is accelerated, try this:

| tstats prestats=false local=false summariesonly=true sum(Web.bytes_in) AS bytes_in from datamodel=Web where (Web.dest = *facebook* OR Web.dest=*pandora*) AND nodename=Web.Proxy by Web.dest | rename Web.dest AS dest | eval parent_site=if(match(dest, "^.*facebook.*$"), "www.facebook.com", "www.pandora.com") | stats sum(bytes_in) AS bytes_in by parent_site | eval MB=round(bytes_in/1024/1024,2) | sort - MB
0 Karma
Reply

jaywilwk
Engager
‎07-27-2016 07:23 AM

ok, this works great. I'm actually getting data from the datamodel, but it is only limiting it to those two websites (facebook and pandora). In my original search, it showed all urls, bu for pandora and facebook it took all the different pandora & facebook servers and renamed them to be www.pandora.com and www.facebook. Is it possible to do this using the tstats search?

0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎07-27-2016 07:35 AM

Sure! Check it out:

| tstats prestats=false local=false summariesonly=true sum(Web.bytes_in) AS bytes_in from datamodel=Web where nodename=Web.Proxy by Web.dest | rename Web.dest AS dest | replace *pandora* with www.pandora.com in dest | replace *facebook* with www.facebook.com in dest  | stats sum(bytes_in) AS bytes_in by dest | eval MB=round(bytes_in/1024/1024,2)

I think I missed what you were doing with the replace commands before.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...