Newbie to Splunk.
From a server farm of web servers, I'd like to get the total of sc_bytes (bytes from server to client) for all file types, then a subtotal of all .jpg files and a separate subtotal of .png files.
Search to calculate total bytes out per day:
".jpg" or ".png" sc_status=200 | eval Mbytes-out=sc_bytes/1024/1024 | timechart sum(Mbytes-out) span=24h
I can't figure out how to get the subcount by file type in a single query.
Sample webserver log:
2012-11-14 13:41:19 W3SVC12345 172.16.3.1 GET /img/site-page-block.jpg - 80 – 8.8.8.8 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+MS-RTC+LM+8;+InfoPath.3) http://server.com/ 200 0 0 48604 2210 31
2012-11-14 13:41:19 W3SVC12345 172.16.3.1 GET /img/site-page-block.png - 80 – 8.8.8.8 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+MS-RTC+LM+8;+InfoPath.3) http://server.com/ 200 0 0 48604 2210 31
Thanks in advance.
Do you want to distinguish jpg from png, or any files ?
Here is a way , let's suppose your filename is in the field "path", you can extract the extension using a regex.
sc_status=200 | rex field=path "\.(?<type>\w+)$" | eval Mbytes-out=sc_bytes/1024/1024 | timechart sum(Mbytes-out) span=24h by type