Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using Stats Command

rdelmark
Explorer
‎12-16-2013 04:04 PM

this search works great to provide me a list of hosts showing how much license usage over a 1 day period, but when I put it in a bar graph it does not work well because the stats command provides an OVERALL total as well as a total for each host, how to I remove the overall total and only show the total for the top 5 hosts.

index="_internal" source="*license_usage.log"
| rename h as host b as bytes
| eval my_splunk_server = splunk_server
| fields source mysourcetype host bytes pool originator my_splunk_server
| eval mbytes=((bytes/1024)/1024)
| stats sum(mbytes) as mbytes by host

Tags (2)
0 Karma
Reply

rdelmark
Explorer
‎12-17-2013 08:07 AM

Here are the results I get when I added the Head 5 and sort commands suggested. It is showing the overall TOTAL mybtes used for the 24hr period, as well as the mbtyes used for each host. When I then click on the results chart icon to turn it into a bar chart it looks bad because I am charting the Total mbytes used for the entire day when I only want a chart with the individual hosts.

host mbytes
39891.08222
scom01ms162 163.468506
dcmenprd1 163.271321
splk01as162 160.080222
sfp01spare 135.03406

0 Karma
Reply

somesoni2
Revered Legend
‎12-16-2013 04:43 PM

I as far as I know, the stats command, especially what your have written, should not be providing any OVERALL total. Would you mind sharing the final output (tabular) before chart command. Also to get top 5, you can sort by mbytes and use "| head 5" in the end of search.

0 Karma
Reply

bruceclarke
Contributor
‎12-16-2013 04:42 PM

I think something like this should work:

index="_internal" source="*license_usage.log" 
| rename h as host b as bytes
| eval my_splunk_server = splunk_server 
| fields source mysourcetype host bytes pool originator my_splunk_server 
| eval mbytes=((bytes/1024)/1024) 
| stats sum(mbytes) as mbytes by host
| sort -mbytes
| head 5
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...