I am trying to audit bandwidth usage, The following search works as expected, except the URLS flood the URL field. I want the top 5:<code>
Search here
| stats list(url) as URL sum(sent) as SentTotal sum(received) as ReceivedTotal by user
| eval Transferred=ReceivedTotal+SentTotal
| table user URL SentTotal ReceivedTotal Transferred
| sort -ReceivedTotal, -SentTotal
| head 10</code>
When I try to limit the domains listed using "top" like this:<code>
Search here
| top limit=5 url by user
| stats list(url) as URL sum(sent) as SentTotal sum(received) as ReceivedTotal by user
| eval Transferred=ReceivedTotal+SentTotal
| table user URL SentTotal ReceivedTotal Transferred
| sort -ReceivedTotal, -SentTotal
| head 10</code>
The URL list is limited to 5 results per row, the problem is my sent/received/transferred fields go blank. And when I try putting "top" further down like this:<code>
search here
| stats list(url) as URL sum(sent) as SentTotal sum(received) as ReceivedTotal by user
| top limit=5 url by user
| eval Transferred=ReceivedTotal+SentTotal
| table user URL SentTotal ReceivedTotal Transferred
| sort -ReceivedTotal, -SentTotal
| head 10</code>
I get "No results found."
I am using Verbose mode and in every instance I can see events on the events tab of the search window. I'm wondering if I am using top incorrectly.
Thanks is advance for reading and for any help you can provide.
↧