Hi there!
I need a query, that will show me Top Sourcetype Sizes by Day, where sourcetype=kubernetes_logs, and the kubernetes_logs itself, to divide by service names (or namespace names).
RIght now, I'm using this query -
index=_internal source=*license_usage.log type="Usage"
| eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| eval sourcetypename = st
| bin _time span=1d
| stats sum(b) as b by _time, pool, indexname, sourcetypename
| eval GB=round(b/1024/1024/1024, 3)
| fields _time, indexname, sourcetypename, GB
| sort by GB
| reverse
But how do I exclude only kubernetes_logs from here, and divide it by service names?
Thanks!
