Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sum of most used application in bytes when I have multiple applications

ddong
Engager
‎07-25-2016 02:18 PM

Hi everyone, I'm pretty new to Splunk (just started a little more than 2 weeks ago).

Currently I'm making a panel that would display columns with the following: User - Most Data Consumed Application - Most Data Usage from Application in MB - Data Used in MB. So for example, I have the following - John Smith - youtube.com - 123523 MB - 548432 MB

I'm having trouble figuring out how to get Splunk to compute the most data consumed application and display it with the application in my columns. I've only been able to create the 1st and 4th column, by using stats.

My current code is:
... | eval mb=(bytes/1024)/1024 | rename user AS "User" | stats sum(mb) AS "Data Used in MB" by "User" | sort -num("Data Used in MB")

I was thinking of adding another calculation to the stats command, but I can't think of a way to do this off the top of my head.

Any help would be appreciated.

Thank you,
Daniel

Tags (1)
0 Karma
Reply

sundareshr
Legend
‎07-25-2016 05:18 PM

Try this

....  | eval mb=(bytes/1024)/1024 | rename user AS "User"  | chart sum(mb) AS "Data Used in MB" over User by Application | addtotals | sort -Total
0 Karma
Reply

ddong
Engager
‎07-28-2016 08:06 AM

This works quite nice, but instead of just displaying the most used one, it displays all the applications I have in a table. Furthermore, it's not really what I'm looking for table structure wise:
User - application 1 - application 2 - application 3 - Total
jsmith - 0.12315MB - 0.16684MB - 4.12562MB - 4.41561MB

I want to have the table structured like this:
User - Data in MB - Application - Total
jsmith - 4.12562MB - application 3 - 4.41561

Thank you for the attempt though 🙂

Edit: made a mistake earlier in my search query and results became different after I took another look. So the results above are what I'm currently seeing.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...