topic Re: Daily averages in usage over 7 days or similar... in Splunk Search

Daily averages in usage over 7 days or similar...

antb — Sat, 15 Jun 2019 18:53:33 GMT

index=_internal source="*license_usage.log*" type=Usage idx IN (index1,index2,index3, index4,etcindex) 
| eval yearmonthday=strftime(_time, "%m-%d-%Y") 
| stats sum(eval(round(b/1024/1024/1024,4))) AS volume_gb by idx yearmonthday 
| chart sum(volume_gb) over idx by yearmonthday | addtotals col=true fieldname="Total GB" labelfield=idx

The above works great showing me my daily index usage (have it set for the previous 7 full days)

But I would much rather print the row total as averages instead of totals while keeping the column totals. Any idea? Additionally, how can I sort this by average size descending but keeping the total row at the bottom?

Thank you

Re: Daily averages in usage over 7 days or similar...

VatsalJagani — Tue, 18 Jun 2019 14:11:36 GMT

Hello @antb,

Please add below query at the end of your current search instead of using addtotals command.

| appendpipe [| stats avg(*) as * | eval idx="Avg usage"]

Hope this helps!!!

Re: Daily averages in usage over 7 days or similar...

somesoni2 — Tue, 18 Jun 2019 14:14:32 GMT

Give this a try

index=_internal source="*license_usage.log*" type=Usage idx IN (index1,index2,index3, index4,etcindex) 
 | eval yearmonthday=strftime(_time, "%m-%d-%Y") 
 | stats sum(eval(round(b/1024/1024/1024,4))) AS volume_gb by idx yearmonthday 
 | appendpipe [| stats avg(volume_gb) as volume_gb by idx | eval yearmonthday="ZZZZ" ]
 | chart sum(volume_gb) over idx by yearmonthday 
 | sort -ZZZZ | rename "ZZZZ" as "Average GB"
 | addcoltotals labelfield=idx