topic Re: Search to shows results for the past 30 days? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Search-to-shows-results-for-the-past-30-days/m-p/301957#M90915 <P>Give this a try (may not be the faster search you will see)</P> <PRE><CODE>| dbinspect index=webserver_index span=1h | untable _time bucket count | dedup bucket | rex field=bucket "(?&lt;state&gt;\w+)-(?&lt;id&gt;\d+)" | sort 0 -_time | dedup id | join id [| dbinspect index=webserver_index | fields state,id,rawSize,sizeOnDiskMB,index,splunk_server] | bucket span=1h _time | stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB by _time index splunk_server | eval diskTotalinGB=round(diskTotalinMB/1024,2) | eval rawTotalinGB=round(rawTotal/(1024*1024*1024),2) | fields - rawTotal | eval compression=tostring(100-round(diskTotalinGB / rawTotalinGB * 100, 2)) + "%" | table _time index, splunk_server, rawTotalinGB, diskTotalinGB, compression | addcoltotals rawTotalinGB diskTotalinGB labelfield=splunk_server label="Total Usage(GB)" </CODE></PRE> Fri, 25 Aug 2017 19:55:54 GMT somesoni2 2017-08-25T19:55:54Z Search to shows results for the past 30 days? https://community.splunk.com/t5/Splunk-Search/Search-to-shows-results-for-the-past-30-days/m-p/301956#M90914 <P>Can I please get help to modify the below query to display results of each day for last 30 days which will show the rawtotal diskTotal compression </P> <PRE><CODE>| dbinspect index=webserver_index | fields state,id,rawSize,sizeOnDiskMB,index,splunk_server | stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB by index splunk_server | eval diskTotalinGB=round(diskTotalinMB/1024,2) | eval rawTotalinGB=round(rawTotal/(1024*1024*1024),2) | fields - rawTotal | eval compression=tostring(100-round(diskTotalinGB / rawTotalinGB * 100, 2)) + "%" | table index, splunk_server, rawTotalinGB, diskTotalinGB, compression | addcoltotals rawTotalinGB diskTotalinGB labelfield=splunk_server label="Total Usage(GB)" </CODE></PRE> Fri, 25 Aug 2017 19:09:49 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-shows-results-for-the-past-30-days/m-p/301956#M90914 kteng2024 2017-08-25T19:09:49Z Re: Search to shows results for the past 30 days? https://community.splunk.com/t5/Splunk-Search/Search-to-shows-results-for-the-past-30-days/m-p/301957#M90915 <P>Give this a try (may not be the faster search you will see)</P> <PRE><CODE>| dbinspect index=webserver_index span=1h | untable _time bucket count | dedup bucket | rex field=bucket "(?&lt;state&gt;\w+)-(?&lt;id&gt;\d+)" | sort 0 -_time | dedup id | join id [| dbinspect index=webserver_index | fields state,id,rawSize,sizeOnDiskMB,index,splunk_server] | bucket span=1h _time | stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB by _time index splunk_server | eval diskTotalinGB=round(diskTotalinMB/1024,2) | eval rawTotalinGB=round(rawTotal/(1024*1024*1024),2) | fields - rawTotal | eval compression=tostring(100-round(diskTotalinGB / rawTotalinGB * 100, 2)) + "%" | table _time index, splunk_server, rawTotalinGB, diskTotalinGB, compression | addcoltotals rawTotalinGB diskTotalinGB labelfield=splunk_server label="Total Usage(GB)" </CODE></PRE> Fri, 25 Aug 2017 19:55:54 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-shows-results-for-the-past-30-days/m-p/301957#M90915 somesoni2 2017-08-25T19:55:54Z Re: Search to shows results for the past 30 days? https://community.splunk.com/t5/Splunk-Search/Search-to-shows-results-for-the-past-30-days/m-p/301958#M90916 <P>@somesoni2 - </P> <P>This is ugly...</P> <PRE><CODE>tostring(100-round(diskTotalinGB / rawTotalinGB * 100, 2)) + "%" </CODE></PRE> <P>This is not....</P> <PRE><CODE>tostring(100-round(100*diskTotalinGB / rawTotalinGB, 2)) + "%" </CODE></PRE> Fri, 25 Aug 2017 22:35:09 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-shows-results-for-the-past-30-days/m-p/301958#M90916 DalJeanis 2017-08-25T22:35:09Z