How to add 30 day average into Splunk license usag...

jwalzerpitt · ‎12-19-2019

I am using the Splunk 30 day usage search and would like to add the 30 day average into the search and then as on overlay. How would I add the average into the search:

(index=_internal host=host source=*license_usage.log* type="RolloverSummary" _time>=1574139600.000) 
| eval _time=_time - 43200 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=false 
| join type=outer _time 
    [ search index=_internal host=host
 source=*license_usage.log* type="RolloverSummary" earliest=-30d@d 
    | eval _time=_time - 43200 
    | bin _time span=1d 
    | dedup _time stack 
    | stats sum(stacksz) AS "stack size" by _time] 
| fields - _timediff 
| foreach "*" 
    [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Thx

to4kawa · ‎12-21-2019

index=_internal  source="*license_usage.log" type="RolloverSummary" earliest=-30d@d
 | bin _time span=1d 
 | eventstats sum(stacksz) as a by _time
 | eventstats avg(a) as stack_avg
 | stats latest(b) AS b values(a) as stack_size values(stack_avg) as stack_avg by slave, pool, _time
 | timechart span=1d sum(b) AS "volume" values(stack_size) as "stack size" values(stack_avg) as "stack avg" fixedrange=false
 | foreach "*" 
     [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Hi, @jwalzerpitt
| eval _time=_time - 43200 what 's this?

How to add 30 day average into Splunk license usage search?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!