- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- change count in chart to actual value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
i have two fields that i want to report on.
basically data from a wireless lan controller where we have "bytes received" and "username"
at the moment i can select both these fields and then visualize and it will show the usernames along the x axis which is what i want but it won't show the values for bytes recieved...only the "count" of events which isn't really useful.
essentially what i want to do is....
IF a username has more than 1 event then add "bytes received" together for each event into one value for each username.
the "bytes received" will be the Y axis and the usernames will be the X axis.
any idea on how i would do this? it's looking like it would be quite a complicated search??? but not sure.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @nolesrb5343 said...this was the solution to the problem.
source="Wireless_Gobblers_20150504_102111_716.csv" host="prime" index="prime-test" sourcetype="ios:prime-test" "Bytes Received" > 0 | chart sum("Bytes Received") OVER "Client Username"
using sum over the field. relatively simple.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @nolesrb5343 said...this was the solution to the problem.
source="Wireless_Gobblers_20150504_102111_716.csv" host="prime" index="prime-test" sourcetype="ios:prime-test" "Bytes Received" > 0 | chart sum("Bytes Received") OVER "Client Username"
using sum over the field. relatively simple.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to use sum("bytes received") for splunk to add the values of those fields together. Have a look here.
If you have any struggle with that, post your search and we'll help you modify it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
source="Wireless_Gobblers_20150504_102111_716.csv" host="prime" index="prime-test" sourcetype="ios:prime-test" "Bytes Received" > 0
currently grabs all the events where the bytes received is more than 0 as we don't care about anything that doesn't send any data.
i can filter the sources to bytes received and username but then have a lot of trouble getting it into a readable graph where the bytes are on the Y axis and the usernames are on the X axis.
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried ... | chart sum("bytes received") OVER usernames
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i understand the string...but where is "bytes" coming from? should that be "Bytes Received"??
sorry still wrapping my head around searching in Splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh should be...this.
source="Wireless_Gobblers_20150504_102111_716.csv" host="prime" index="prime-test" sourcetype="ios:prime-test" "Bytes Received" > 0 | chart sum("Bytes Received") OVER "Client Username"
that works actually.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
