Hi everyone, I'm pretty new to Splunk (just started a little more than 2 weeks ago).
Currently I'm making a panel that would display columns with the following: User - Most Data Consumed Application - Most Data Usage from Application in MB - Data Used in MB. So for example, I have the following - John Smith - youtube.com - 123523 MB - 548432 MB
I'm having trouble figuring out how to get Splunk to compute the most data consumed application and display it with the application in my columns. I've only been able to create the 1st and 4th column, by using stats.
My current code is:
... | eval mb=(bytes/1024)/1024 | rename user AS "User" | stats sum(mb) AS "Data Used in MB" by "User" | sort -num("Data Used in MB")
I was thinking of adding another calculation to the stats command, but I can't think of a way to do this off the top of my head.
Any help would be appreciated.
Thank you,
Daniel
↧