I've looked at this link:
http://answers.splunk.com/answers/7228/change-column-color-if-over-a-range
However, I am trying to make a chart to show our Splunk license overages (past 30 days, span of 1 day). I'm not sure how to use the timechart spanning capabilities (1 day) with the existing method in the link.
Any help is appreciated, and thanks!
In that example before stats use bucket. Edited Search is below
Your base search | bucket _time span=1d
| stats count by _time
| eval high=if(count>1000,count,0)
| eval low=count-high
| fields _time,high,low
Include earliest and latest searchtime modifiers in your base search
Check if this works
In that example before stats use bucket. Edited Search is below
Your base search | bucket _time span=1d
| stats count by _time
| eval high=if(count>1000,count,0)
| eval low=count-high
| fields _time,high,low
Include earliest and latest searchtime modifiers in your base search
Check if this works
Thank you!
Here you go
index=_internal source=*metrics.log group="per_index_thruput" | timechart span=1d sum(kb) as TotalKB | eval high=if(TotalKB>1000,TotalKB,0) | eval low=TotalKB-high | fields - TotalKB
More information at: http://blogs.splunk.com/2008/03/13/digging-into-metrics-log/
You can do some math and convert it into GB if you need.
eval TotalGB=TotalKB/1048576
Include earliest and latest search time modifiers as per your needs.
It's Splunk internal data:
index=internal source=*metrics.log group=per_index_thruput series!=*
Using the "kb" field
Can you post some sample data. That will help us to help you in a better way.
The problem is I am not counting events. I am adding up the "kb" field in the metrics to determine how much data we logged in a day. The stats command doesn't allow me to use a varible, it seems.
I tried one more way, that is
Your base search | timechart span=1d count | eval high=if(count>1000,count,0) | eval low=count-high | fields - count
Even this works.