I am attempting to write a license usage search and I would like to be able to see the usage for the last 7 days. Here is what I am using so far and it shows the usage just fine all added together. I would like it to be broken down by day, any ideas?
index=_internal source=license_usage pool="auto_generated_pool_enterprise" | eval GB=b/1024/1024/1024 | stats sum(GB) by pool
If you want to
a) end up with the data in graph form with both pool and day-of-week values, then you want to look at the chart command.
index=_internal source=license_usage pool="auto_generated_pool_enterprise" | eval GB=b/1024/1024/1024 | chart sum(GB) over date_wday by pool
b) if you dont want to graph it and you want to end up with more of a flat table where each row is a unique combination of a pool value and a day-of-week value, then you would use stats this way:
index=_internal source=license_usage pool="auto_generated_pool_enterprise" | eval GB=b/1024/1024/1024 | stats sum(GB) by date_wday pool
hth