I'm building a daily history for one of my log sources. I'm currently using the count of events via the top
command to dictate the order and values as shown below.
index=foreweb ...... | top TopLevelHost by c_ip limit=10 | stats list(TopLevelHost) list(count) by c_ip | sort list(count) desc
This works well. I also have a field sc_bytes
present in each entry. I'd like to replace the logic for top TopLevelHost by c_ip limit=10
with something that'll work based on the sum of sc_bytes.
What are my options?
Try this
index=foreweb ...| stats sum(sc_bytes) as sum by TopLevelHost, c_ip | sort -sum | streamstats count as sno by c_ip | where sno < 11 | stats list(TopLevelHost) list(sum) by c_ip | sort list(sum) desc
Try this
index=foreweb ...| stats sum(sc_bytes) as sum by TopLevelHost, c_ip | sort -sum | streamstats count as sno by c_ip | where sno < 11 | stats list(TopLevelHost) list(sum) by c_ip | sort list(sum) desc
Many thanks. I'd also like to be able to convert the sum fields from bytes to megabytes. Can you provide an example of how to do so? I'd assume an eval and dividing by 1048576 would be all that is required but I'm not sure where to place it.
@somesoni2 - I want the logic to work exactly the same as outlined in the top command, only based off the sum of the sc_bytes instead of the count of events for a given c_ip. I guess that it'd need to be separated by c_ip but I'm not really sure.
what is the condition you want to put based on sc_bytes sum?