Solved: Indexed volume search does not display all results

remy06 · ‎11-01-2010

Hi,

I have a search that is scheduled to run at the start of a month to display the daily indexed volume for the previous month.

I've received the report today(1st nov) for the previous month of october. However,the result missed out days from the 1st oct-4th oct.

Here is my search:
index=_internal todaysBytesIndexed LicenseManager-Audit source=*license_audit.log | eval MB_Indexed = todaysBytesIndexed/1024/1024 | convert ctime(_time) as Time timeformat=%m/%d/%y | stats sum(MB_Indexed) by Time | sort Time

My start time range is set as -mon@mon, Schedule type is set as cron, 0 9 1 * *.

Any idea?

remy06 · ‎02-08-2011

View solution in original post

remy06 · ‎02-08-2011

tgow · ‎11-01-2010

I think you are close. I tried using the relative time range of "-1mon@mon" and was able to get it to work.

Hope this helps.

remy06 · ‎11-02-2010

Hi,doesn't seem to work..Anyway I can search for events on those missing days..but it doesnt show up when I use the search above..

Indexed volume search does not display all results

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!