Splunk Search

Average Index License Deviation Over The Past Month - Search Check

paimonsoror
Builder

Hi Folks;

I am looking to get the deviation of license usage for each particular index over a 30 day period. My hope is to use this data to forcast the estimated max per month that a particular group (index) may use. I have the following basic search, but was hoping to get an extra set of eyes to make sure my math is correct:

earliest=-30d@d latest=@d  index=_internal source=*license_usage.log* type=Usage idx="*" | stats sum(b) AS Bytes stdev(b) AS Deviation by idx | eval GB = Bytes/1024/1024/1024 | eval DevMB = Deviation/1024/1024 |  eval "Daily Avg Usage" = GB/30 | rename idx as Index | table Index "Daily Avg Usage" "DevMB"
0 Karma
1 Solution

rjthibod
Champion

You might want to consider distinguishing between days of the week, or weekdays versus weekends, depending on what kind of operation you are dealing with. Here is a modification to breakdown the stats by day of the week.

 earliest=-30d@d latest=@d  index=_internal source=*license_usage.log* type=Usage idx="*" 
| fields _time b idx 
| bin _time span=1d 
| stats sum(b) AS Bytes by idx _time 
| eval wday = strftime(_time, "%A")
| stats avg(Bytes) as avg sum(Bytes) as sum stdev(Bytes) as dev by idx wday
| foreach avg sum dev [eval <<FIELD>>GB = round(<<FIELD>>/1024/1024/1024, 3)]
| rename idx as Index, wday as Weekday
| fields Index Weekday avgGB sumGB devGB

View solution in original post

rjthibod
Champion

You might want to consider distinguishing between days of the week, or weekdays versus weekends, depending on what kind of operation you are dealing with. Here is a modification to breakdown the stats by day of the week.

 earliest=-30d@d latest=@d  index=_internal source=*license_usage.log* type=Usage idx="*" 
| fields _time b idx 
| bin _time span=1d 
| stats sum(b) AS Bytes by idx _time 
| eval wday = strftime(_time, "%A")
| stats avg(Bytes) as avg sum(Bytes) as sum stdev(Bytes) as dev by idx wday
| foreach avg sum dev [eval <<FIELD>>GB = round(<<FIELD>>/1024/1024/1024, 3)]
| rename idx as Index, wday as Weekday
| fields Index Weekday avgGB sumGB devGB

paimonsoror
Builder

Super fast response! Love it.

had to fix something, i assume you meant:
| eval wday = strftime(_time, " %w")

else i got an error on my end (6.4.2)

still getting an error though on the last eval command:
Error in 'eval' command: The expression is malformed. An unexpected character is reached at '<>/1024/1024/1024, 3)'.

0 Karma

paimonsoror
Builder

Nevermind, got it, just needed to have "FIELD" in caps

THANKS!!!!

Can an admin please convert rjthibod's response to answer!

0 Karma

rjthibod
Champion

Sorry about. Good catch.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...