Can I please get help to modify the below query to display results of each day for last 30 days which will show the rawtotal diskTotal compression
| dbinspect index=webserver_index
| fields state,id,rawSize,sizeOnDiskMB,index,splunk_server
| stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB by index splunk_server | eval diskTotalinGB=round(diskTotalinMB/1024,2)
| eval rawTotalinGB=round(rawTotal/(1024*1024*1024),2) | fields - rawTotal
| eval compression=tostring(100-round(diskTotalinGB / rawTotalinGB * 100, 2)) + "%"
| table index, splunk_server, rawTotalinGB, diskTotalinGB, compression | addcoltotals rawTotalinGB diskTotalinGB labelfield=splunk_server label="Total Usage(GB)"
Give this a try (may not be the faster search you will see)
| dbinspect index=webserver_index span=1h | untable _time bucket count | dedup bucket | rex field=bucket "(?<state>\w+)-(?<id>\d+)" | sort 0 -_time | dedup id | join id [| dbinspect index=webserver_index
| fields state,id,rawSize,sizeOnDiskMB,index,splunk_server] | bucket span=1h _time | stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB by _time index splunk_server | eval diskTotalinGB=round(diskTotalinMB/1024,2)
| eval rawTotalinGB=round(rawTotal/(1024*1024*1024),2) | fields - rawTotal
| eval compression=tostring(100-round(diskTotalinGB / rawTotalinGB * 100, 2)) + "%"
| table _time index, splunk_server, rawTotalinGB, diskTotalinGB, compression | addcoltotals rawTotalinGB diskTotalinGB labelfield=splunk_server label="Total Usage(GB)"
@somesoni2 -
This is ugly...
tostring(100-round(diskTotalinGB / rawTotalinGB * 100, 2)) + "%"
This is not....
tostring(100-round(100*diskTotalinGB / rawTotalinGB, 2)) + "%"