Solved: Avg per day

test_qweqwe · ‎01-15-2018

| tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE [inputlookup all_servers.csv | search role=indexer | rename guid AS "Internal_Log_Events.i"| fields Internal_Log_Events.i]  GROUPBY Internal_Log_Events.idx  | eval gb=round(bytes/1024/1024/1024,2) | stats sum(gb) AS "Total GB" by Internal_Log_Events.idx | rename Internal_Log_Events.idx AS Index  Internal_Log_Events.st AS "Source Type" Internal_Log_Events.h AS Host | sort - "Total GB"

I wanna search by 30 day and see avg by day, how possible implementation it? How change this search?

mayurr98 · ‎01-15-2018

hey you can try something like this

using stats command

| tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE 
    [ inputlookup all_servers.csv 
    | search role=indexer 
    | rename guid AS "Internal_Log_Events.i" 
    | fields Internal_Log_Events.i] earliest=-30d@d latest=now GROUPBY Internal_Log_Events.idx _time
| eval gb=round(bytes/1024/1024/1024,2) 
| bin _time span=1d 
| stats avg(gb) AS "Total GB" by Internal_Log_Events.idx,_time 
| rename Internal_Log_Events.idx AS Index 
| sort - "Total GB"

using timechart command

| tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE 
    [ inputlookup all_servers.csv 
    | search role=indexer 
    | rename guid AS "Internal_Log_Events.i" 
    | fields Internal_Log_Events.i] earliest=-30d@d latest=now GROUPBY Internal_Log_Events.idx _time
| eval gb=round(bytes/1024/1024/1024,2) 
| timechart avg(gb) AS "Total GB" by Internal_Log_Events.idx

let me know if this helps !

View solution in original post

mayurr98 · ‎01-15-2018

hey you can try something like this

using stats command

| tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE 
    [ inputlookup all_servers.csv 
    | search role=indexer 
    | rename guid AS "Internal_Log_Events.i" 
    | fields Internal_Log_Events.i] earliest=-30d@d latest=now GROUPBY Internal_Log_Events.idx _time
| eval gb=round(bytes/1024/1024/1024,2) 
| bin _time span=1d 
| stats avg(gb) AS "Total GB" by Internal_Log_Events.idx,_time 
| rename Internal_Log_Events.idx AS Index 
| sort - "Total GB"

using timechart command

| tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE 
    [ inputlookup all_servers.csv 
    | search role=indexer 
    | rename guid AS "Internal_Log_Events.i" 
    | fields Internal_Log_Events.i] earliest=-30d@d latest=now GROUPBY Internal_Log_Events.idx _time
| eval gb=round(bytes/1024/1024/1024,2) 
| timechart avg(gb) AS "Total GB" by Internal_Log_Events.idx

let me know if this helps !

test_qweqwe · ‎01-15-2018

it's work, but i need avg per 1 day by 30 days 🙂
What me change in ur search to see results that i need?

mayurr98 · ‎01-15-2018

you can make use of earliest=-30d@d and latest=now for last 30 days. or else you can try specify in timepicker. I have changed the query for last 30 days. you can change that according to your need

@test_qweqwe let me know if this helps!

harsmarvania57 · ‎01-15-2018

Hi ,

Can you please try below query, this will give you sum of gb per day.

| tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE [inputlookup all_servers.csv | search role=indexer | rename guid AS "Internal_Log_Events.i"| fields Internal_Log_Events.i]  GROUPBY Internal_Log_Events.idx,_time  | eval gb=round(bytes/1024/1024/1024,2) | bin _time span=1d | stats sum(gb) AS "Total GB" by Internal_Log_Events.idx,_time | rename Internal_Log_Events.idx AS Index  Internal_Log_Events.st AS "Source Type" Internal_Log_Events.h AS Host | sort - "Total GB"

EDIT: Query updated

test_qweqwe · ‎01-15-2018

it's now working "No results found"

Avg per day

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!