bucket _time span=1d| eval _time = strftime(_time,"%b %d, %Y")| stats sum(eval(Bytes_Written/(1024*1024))) as MBytes_Moved, values(User_Name), values(MBytes_Moved) by _time
Above is my current search, but only shows the total MB moved by all users. I want to show total MB moved, per user, for the day.
What I am looking for would be:
Date MBytes_Moved User
Sept 20, 2016 2347 john.smith
4675 john.wagner
534 mike.smith
1215 pablo.johnson
Sept 21, 2016 953 john.smith
3246 lonnie.murray
2312 max.effort
Sept 22, 2016 2347 jason.adams
9087 john.doe
5876 william.shelton
Thanks!
↧