Solved: how to add a sum in a top search?

liusf · ‎01-14-2015

Hello. I have this search:

*  app="youtube" | top  limit=20 srcip by app showperc=f countfield=total

of this log:

date=2015-01-14 time=08:32:10 srcip=192.168.1.200 app="Youtube" rcvdbyte=121 
date=2015-01-14 time=08:38:10 srcip=192.168.1.200 app="Youtube" rcvdbyte=500
date=2015-01-14 time=08:32:10 srcip=192.168.1.200 app="Youtube" rcvdbyte=900

I need to add the total of bytes received (rcvdbyte) per IP in that App. I tried with stats sum before and after the top but the results are blank. Thanks

somesoni2 · ‎01-14-2015

Give this a try

* app="youtube" | stats sum(rcvdbyte) as rcvdbytes count as total by app,srcip | sort app, -total| streamstats count as sno by app | where sno<21 | table app srcip total rcvdbytes

View solution in original post

somesoni2 · ‎01-14-2015

Give this a try

* app="youtube" | stats sum(rcvdbyte) as rcvdbytes count as total by app,srcip | sort app, -total| streamstats count as sno by app | where sno<21 | table app srcip total rcvdbytes

liusf · ‎01-14-2015

It didn't work. rcvbytes = null

somesoni2 · ‎01-14-2015

Field name was incorrect in my search, updated it now. Check back.

liusf · ‎01-14-2015

Thanks. It works now

how to add a sum in a top search?

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!