Highlighted
Commander Commander
Commander
771 views

Logger TOPgroup by with limit on second field

Jump to solution

Hi,

I'm dealing with task to make TOP based on sourceAddress and destinationHostName where I would like to have just 20TOP destinationHostName per one source.

Any idea how to achive this?

something like | TOP 10000 sourceAddress 20 destinationHostName

Regards
Stepan

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Commander Commander
Commander

Ok after some experiments I have exactly what I need, so may be it will be usefull as well for someone else...

<limiting conditions> | chart count by sourceAddress destinationHostName | sort -sourceAddress - _count | dedup 2 sourceAddress

this query will endup with result where top 2 combination of sourceAddress destinationHostName and count of hits for specified group by combination.

in other word without dedup result will be:

IP1 domain1 456
IP1 doamin2 50
IP1 doamin3 20
IP1 doamin4 5
IP1 doamin5 2
IP2 domain1 468
IP2 domain2 89
IP2 domain3 50
IP3 domain1 9879
IP3 domain2 45
IP3 doamin3 2

but dedup will do the magic with result:

IP1 domain1 456
IP1 doamin2 50
IP2 domain1 468
IP2 domain2 89
IP3 domain1 9879
IP3 domain2 45

 

Regards

Stepan

View solution in original post

3 Replies
Highlighted
Commander Commander
Commander

Ok after some experiments I have exactly what I need, so may be it will be usefull as well for someone else...

<limiting conditions> | chart count by sourceAddress destinationHostName | sort -sourceAddress - _count | dedup 2 sourceAddress

this query will endup with result where top 2 combination of sourceAddress destinationHostName and count of hits for specified group by combination.

in other word without dedup result will be:

IP1 domain1 456
IP1 doamin2 50
IP1 doamin3 20
IP1 doamin4 5
IP1 doamin5 2
IP2 domain1 468
IP2 domain2 89
IP2 domain3 50
IP3 domain1 9879
IP3 domain2 45
IP3 doamin3 2

but dedup will do the magic with result:

IP1 domain1 456
IP1 doamin2 50
IP2 domain1 468
IP2 domain2 89
IP3 domain1 9879
IP3 domain2 45

 

Regards

Stepan

View solution in original post

Highlighted
Commander Commander
Commander

Just short update,

better to use TOP instead of CHAR as CHAR is by default limited to 500 results, so final result can be trimed by this. 

<limiting conditions> | top sourceAddress destinationHostName | sort -sourceAddress - _count | dedup 2 sourceAddress

Highlighted
Cadet 1st Class
Cadet 1st Class

Hi Stefan, How can we list the top 5 bytesOut ? Using the similar query..

| top sourceAddress sum(bytesOut) | sort -sourceAddress - _count | dedup 2 sourceAddress - this throws an error.

As you said, chat will display only 500.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.