Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Avg per day

test_qweqwe
Builder
‎01-15-2018 04:58 AM 
| tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE [inputlookup all_servers.csv | search role=indexer | rename guid AS "Internal_Log_Events.i"| fields Internal_Log_Events.i]  GROUPBY Internal_Log_Events.idx  | eval gb=round(bytes/1024/1024/1024,2) | stats sum(gb) AS "Total GB" by Internal_Log_Events.idx | rename Internal_Log_Events.idx AS Index  Internal_Log_Events.st AS "Source Type" Internal_Log_Events.h AS Host | sort - "Total GB"

I wanna search by 30 day and see avg by day, how possible implementation it? How change this search?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-15-2018 05:24 AM

hey you can try something like this

using stats command

| tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE 
    [ inputlookup all_servers.csv 
    | search role=indexer 
    | rename guid AS "Internal_Log_Events.i" 
    | fields Internal_Log_Events.i] earliest=-30d@d latest=now GROUPBY Internal_Log_Events.idx _time
| eval gb=round(bytes/1024/1024/1024,2) 
| bin _time span=1d 
| stats avg(gb) AS "Total GB" by Internal_Log_Events.idx,_time 
| rename Internal_Log_Events.idx AS Index 
| sort - "Total GB"

using timechart command

| tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE 
    [ inputlookup all_servers.csv 
    | search role=indexer 
    | rename guid AS "Internal_Log_Events.i" 
    | fields Internal_Log_Events.i] earliest=-30d@d latest=now GROUPBY Internal_Log_Events.idx _time
| eval gb=round(bytes/1024/1024/1024,2) 
| timechart avg(gb) AS "Total GB" by Internal_Log_Events.idx

let me know if this helps !

View solution in original post

Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-15-2018 05:24 AM

hey you can try something like this

using stats command

| tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE 
    [ inputlookup all_servers.csv 
    | search role=indexer 
    | rename guid AS "Internal_Log_Events.i" 
    | fields Internal_Log_Events.i] earliest=-30d@d latest=now GROUPBY Internal_Log_Events.idx _time
| eval gb=round(bytes/1024/1024/1024,2) 
| bin _time span=1d 
| stats avg(gb) AS "Total GB" by Internal_Log_Events.idx,_time 
| rename Internal_Log_Events.idx AS Index 
| sort - "Total GB"

using timechart command

| tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE 
    [ inputlookup all_servers.csv 
    | search role=indexer 
    | rename guid AS "Internal_Log_Events.i" 
    | fields Internal_Log_Events.i] earliest=-30d@d latest=now GROUPBY Internal_Log_Events.idx _time
| eval gb=round(bytes/1024/1024/1024,2) 
| timechart avg(gb) AS "Total GB" by Internal_Log_Events.idx

let me know if this helps !

Reply
Solved! Jump to solution

test_qweqwe
Builder
‎01-15-2018 05:28 AM

it's work, but i need avg per 1 day by 30 days 🙂
What me change in ur search to see results that i need?

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-15-2018 05:54 AM

you can make use of earliest=-30d@d and latest=now for last 30 days. or else you can try specify in timepicker. I have changed the query for last 30 days. you can change that according to your need

@test_qweqwe let me know if this helps!

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎01-15-2018 05:02 AM

Hi ,

Can you please try below query, this will give you sum of gb per day. 

| tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE [inputlookup all_servers.csv | search role=indexer | rename guid AS "Internal_Log_Events.i"| fields Internal_Log_Events.i]  GROUPBY Internal_Log_Events.idx,_time  | eval gb=round(bytes/1024/1024/1024,2) | bin _time span=1d | stats sum(gb) AS "Total GB" by Internal_Log_Events.idx,_time | rename Internal_Log_Events.idx AS Index  Internal_Log_Events.st AS "Source Type" Internal_Log_Events.h AS Host | sort - "Total GB"

EDIT: Query updated

0 Karma
Reply
Solved! Jump to solution

test_qweqwe
Builder
‎01-15-2018 05:22 AM

it's now working "No results found"

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...