I have the below search against a particular heavy index which lists its daily volume consumed.
index=_internal source=*license_usage.log type=Usage | eval totalMB = b/1024/1024 | eval totalGB = totalMB /1024 | rename idx as index | search index="xxx-xxx" | timechart span=1d sum(totalGB) by index
_time xxx-xxx
------------------------------------
date 200GB
I want the above query tweaked to compares the daily usage against 1000GB and list the output like below
_time xxx-xxx Total %Used
---------------------------------------------------------------------------------------------
date 200GB 1000GB 20%
Thanks,
Laks
Hi @lwaddep1
Can you try like this.
index=_internal source=*license_usage.log type=Usage | eval totalMB = b/1024/1024 | eval totalGB = totalMB /1024 | rename idx as index | search index="xxx-xxx" | timechart span=1d sum(totalGB) as used_gb by index | eval total=1000 | eval used=used_gb/total |eval "used%"=used +"%"
Hi @lwaddep1
Can you try like this.
index=_internal source=*license_usage.log type=Usage | eval totalMB = b/1024/1024 | eval totalGB = totalMB /1024 | rename idx as index | search index="xxx-xxx" | timechart span=1d sum(totalGB) as used_gb by index | eval total=1000 | eval used=used_gb/total |eval "used%"=used +"%"
Thanks for the quick update, i am able to see like below, but used% is missing.
_time xxx-xxx total
date 200GB 1000