- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Average Index License Deviation Over The Past Mont...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Folks;
I am looking to get the deviation of license usage for each particular index over a 30 day period. My hope is to use this data to forcast the estimated max per month that a particular group (index) may use. I have the following basic search, but was hoping to get an extra set of eyes to make sure my math is correct:
earliest=-30d@d latest=@d index=_internal source=*license_usage.log* type=Usage idx="*" | stats sum(b) AS Bytes stdev(b) AS Deviation by idx | eval GB = Bytes/1024/1024/1024 | eval DevMB = Deviation/1024/1024 | eval "Daily Avg Usage" = GB/30 | rename idx as Index | table Index "Daily Avg Usage" "DevMB"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might want to consider distinguishing between days of the week, or weekdays versus weekends, depending on what kind of operation you are dealing with. Here is a modification to breakdown the stats by day of the week.
earliest=-30d@d latest=@d index=_internal source=*license_usage.log* type=Usage idx="*"
| fields _time b idx
| bin _time span=1d
| stats sum(b) AS Bytes by idx _time
| eval wday = strftime(_time, "%A")
| stats avg(Bytes) as avg sum(Bytes) as sum stdev(Bytes) as dev by idx wday
| foreach avg sum dev [eval <<FIELD>>GB = round(<<FIELD>>/1024/1024/1024, 3)]
| rename idx as Index, wday as Weekday
| fields Index Weekday avgGB sumGB devGB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might want to consider distinguishing between days of the week, or weekdays versus weekends, depending on what kind of operation you are dealing with. Here is a modification to breakdown the stats by day of the week.
earliest=-30d@d latest=@d index=_internal source=*license_usage.log* type=Usage idx="*"
| fields _time b idx
| bin _time span=1d
| stats sum(b) AS Bytes by idx _time
| eval wday = strftime(_time, "%A")
| stats avg(Bytes) as avg sum(Bytes) as sum stdev(Bytes) as dev by idx wday
| foreach avg sum dev [eval <<FIELD>>GB = round(<<FIELD>>/1024/1024/1024, 3)]
| rename idx as Index, wday as Weekday
| fields Index Weekday avgGB sumGB devGB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Super fast response! Love it.
had to fix something, i assume you meant:
| eval wday = strftime(_time, " %w")
else i got an error on my end (6.4.2)
still getting an error though on the last eval command:
Error in 'eval' command: The expression is malformed. An unexpected character is reached at '<>/1024/1024/1024, 3)'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nevermind, got it, just needed to have "FIELD" in caps
THANKS!!!!
Can an admin please convert rjthibod's response to answer!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry about. Good catch.
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
