https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200164#M57994 <P>I may have forgotten to add that every day should be a new line so we can compare them.</P> Wed, 13 Apr 2016 15:41:13 GMT aferone 2016-04-13T15:41:13Z https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200162#M57992 <P>I would like to chart license usage throughout the day cumulatively, meaning, the results are added and charts every 5 minutes. So the chart would basically be a graph on a steady incline going up from left to right.</P> <P>This is the search I am attempting, but the timewrap function is adding the previous days results to the next day.</P> <PRE><CODE>index=_internal host=host source="*license_usage.log" type!=RolloverSummary earliest=-3d@d latest=+1d@d | timechart span=5m sum(b) as total | streamstats global=f sum(total) as accu_total | timewrap d </CODE></PRE> <P>If I remove the timechart function, the current day results look fine. But when I add timechart, it doesn't work how I want it to.</P> <P>Also, I need the accu_total, but a second line is generated called "total". How do I remove that line?</P> <P>Thoughts? Thanks!</P> Wed, 13 Apr 2016 15:20:53 GMT https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200162#M57992 aferone 2016-04-13T15:20:53Z https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200163#M57993 <P>What about this?</P> <PRE><CODE>index=_internal source=*license_usage.log type="Usage" earliest=-7d@d latest=@d | bin _time span=5m | stats sum(b) as total by _time | streamstats global=f sum(total) as accu_total </CODE></PRE> Wed, 13 Apr 2016 15:34:02 GMT https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200163#M57993 javiergn 2016-04-13T15:34:02Z https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200164#M57994 <P>I may have forgotten to add that every day should be a new line so we can compare them.</P> Wed, 13 Apr 2016 15:41:13 GMT https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200164#M57994 aferone 2016-04-13T15:41:13Z https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200165#M57995 <P>I can't test this right now, but what about this other one:</P> <PRE><CODE>index=_internal source=*license_usage.log type="Usage" earliest=-7d@d latest=@d | bin _time span=5m | eval date = strftime(_time, "%Y-%m-%d") | stats sum(b) as total by _time, date | streamstats global=f sum(total) as accu_total by date </CODE></PRE> Wed, 13 Apr 2016 16:02:28 GMT https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200165#M57995 javiergn 2016-04-13T16:02:28Z https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200166#M57996 <P>The line isn't stacked. It starts over for each day, but it is one continuous line. </P> <P>And the "total" line is still there.</P> <P>I really appreciate your help. Thank you.</P> Wed, 13 Apr 2016 16:08:07 GMT https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200166#M57996 aferone 2016-04-13T16:08:07Z https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200167#M57997 <P>Hi, take a look at the picture below and let me know if that's what you are looking for. <BR /> If not please provide a graph explaining what it is exactly what you need as I'm not 100% sure yet.<BR /> Keep in mind I don't have production data available and therefore I had to generate license usage with the variables minute, hour, day that you can ignore if you want.</P> <PRE><CODE>index=_internal source=*license_usage.log type="RolloverSummary" earliest=-2d@d | bin _time span=5m | stats latest(b) AS b by pool, _time | timechart span=5m sum(b) AS total fixedrange=false | eval minute = strftime(_time, "%M") | eval hour = strftime(_time, "%H") | eval day = strftime(_time, "%d") | eval total = coalesce(total, pow(day,6)*hour*minute) | fields - day, hour, minute | eval date = strftime(_time, "%Y-%m-%d") | streamstats global=f sum(total) as accu_total by date | eval total = round(total/1024/1024/1024, 3) | eval accu_total = round(accu_total/1024/1024/1024, 3) | fields - date </CODE></PRE> <P>Output (see picture)</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1233iED46C9997E893AE9/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 14 Apr 2016 09:31:18 GMT https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200167#M57997 javiergn 2016-04-14T09:31:18Z https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200168#M57998 <P>I am actually looking for something like what timewrap provides. A line chart that overlaps each day on top of each other, so you can easily compare each day.</P> <P>I decided to check the license and dump it to a summary index and chart on that.</P> <P>Thanks for your help!</P> Fri, 15 Apr 2016 13:16:20 GMT https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200168#M57998 aferone 2016-04-15T13:16:20Z https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200169#M57999 <P>Aferone - Can you explain what you ended up coming up with?</P> Tue, 27 Aug 2019 19:34:31 GMT https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200169#M57999 jeck11 2019-08-27T19:34:31Z https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200170#M58000 <PRE><CODE>index=summary source="License - License Progress Today (Populate Summary Index)" earliest=-3d@d latest=+1d@d | timechart span=5m values(GB) | rename values(GB) as GB | timewrap d | rename GB_latest_day as Today GB_1day_before as "1 Day Ago" GB_2days_before as "2 Days Ago" GB_3days_before as "3 Days Ago" </CODE></PRE> <P>I check our license usage overall every 5 minutes and add it to a summary index. Then I use the above search to display the results.</P> Tue, 27 Aug 2019 19:40:20 GMT https://community.splunk.com/t5/Splunk-Search/Track-License-Usage-Cumulatively-Comparing-Last-7-Days/m-p/200170#M58000 aferone 2019-08-27T19:40:20Z