Hello,
I have a peculiar question:
Below is sample data:
_time | data storage name | Size of data storage |
2023-04-30T00:31:00.000 | data_storage_1 | 10 |
2023-04-30T00:31:00.000 | data_storage_2 | 15 |
2023-04-30T12:31:00.000 | data_storage_1 | 15 |
2023-04-30T12:31:00.000 | data_storage_2 | 20 |
2023-05-01T00:31:00.000 | data_storage_1 | 20 |
2023-05-01T00:31:00.000 | data_storage_2 | 30 |
2023-05-01T12:31:00.000 | data_storage_1 | 30 |
2023-05-01T12:31:00.000 | data_storage_2 | 40 |
2023-05-02T00:31:00.000 | data_storage_1 | 40 |
2023-05-02T00:31:00.000 | data_storage_2 | 50 |
2023-05-02T12:31:00.000 | data_storage_1 | 50 |
2023-05-02T12:31:00.000 | data_storage_2 | 50 |
How do i go about getting the the sum of all storages per time frame?
Example of output:
Time Total Storage
04/30 00:31 -> 25
04/30 12:31 -> 35
05/01 00:31 -> 50
05/01 12:31 -> 70
Have you tried something like
| stats sum(storage) by _time
So I think i got what i needed:
| stats sum(Size of data storage) by _time, "data storage name"
Adding Bin added a layer of unnecessary sum of the values. I tried a | bin span=12h _time .
Also, I was not able to get the visual correctly with the differentiated colors, had to use the trellis option, and that helped split my graph into 2 different graphs. For now, i can make due with that.
But in theory, it should've split it in to different colors on the column chart, one for each data storage.
I did look into the bin command a bit further and It did help, thanks again! Needed to timechart my data for the latest data of that day as it kept growing and data points were just snapshots of the storage of that day.
Final code:
| bin _time span=12h
| stats latest(<storage size>) as <storage size> by _time data_storage
| timechart span=12h sum(<storage size>) by data_storage
For the requirement I needed, I just needed to do bin = 1d and span=1d to get daily data trend for the past year of data.
I forgot to add
You could also use | timechart and work with the bin parameter to group events by time ranges.
If you still wants to work with stats you can call the | bin command.
see first example on this docs https://docs.splunk.com/Documentation/SCS/current/SearchReference/BinCommandExamples