Taking it a step farther I changed the query to:
index=_internal source=license_usage.log type="Usage" earliest=-20d@d latest=@d idx!=cisco*
| fields _time, pool, idx, b
| bin _time span=1d
| stats sum(b) as b by _time, pool, idx
| stats sum(b) AS Bytes by idx, _time
| stats avg(Bytes) AS avgbytes by idx
| eval avgGB=round(avgbytes/1024/1024/1024,3)
| fields idx, avgGB
| rename avgGB AS "Average" idx AS "Index"
| search Average < 10
Also:
index=_internal source=license_usage.log type="Usage" earliest=-20d@d latest=@d idx=cisco*
| fields _time, pool, idx, b
| bin _time span=1d
| stats sum(b) as b by _time, pool, idx
| stats sum(b) AS Bytes by idx, _time
| stats avg(Bytes) AS avgbytes by idx
| eval avgGB=round(avgbytes/1024/1024/1024,3)
| fields idx, avgGB
| rename avgGB AS "Average" idx AS "Index"
| search Average < 10
Because cisco* I would expect to get something back
... View more