Archive

## Daily averages in usage over 7 days or similar...

Path Finder
``````index=_internal source="*license_usage.log*" type=Usage idx IN (index1,index2,index3, index4,etcindex)
| eval yearmonthday=strftime(_time, "%m-%d-%Y")
| stats sum(eval(round(b/1024/1024/1024,4))) AS volume_gb by idx yearmonthday
| chart sum(volume_gb) over idx by yearmonthday | addtotals col=true fieldname="Total GB" labelfield=idx
``````

The above works great showing me my daily index usage (have it set for the previous 7 full days)

But I would much rather print the row total as averages instead of totals while keeping the column totals. Any idea? Additionally, how can I sort this by average size descending but keeping the total row at the bottom?

Thank you

Tags (4)
1 Solution
Revered Legend

Give this a try

``````index=_internal source="*license_usage.log*" type=Usage idx IN (index1,index2,index3, index4,etcindex)
| eval yearmonthday=strftime(_time, "%m-%d-%Y")
| stats sum(eval(round(b/1024/1024/1024,4))) AS volume_gb by idx yearmonthday
| appendpipe [| stats avg(volume_gb) as volume_gb by idx | eval yearmonthday="ZZZZ" ]
| chart sum(volume_gb) over idx by yearmonthday
| sort -ZZZZ | rename "ZZZZ" as "Average GB"
``````
Revered Legend

Give this a try

``````index=_internal source="*license_usage.log*" type=Usage idx IN (index1,index2,index3, index4,etcindex)
| eval yearmonthday=strftime(_time, "%m-%d-%Y")
| stats sum(eval(round(b/1024/1024/1024,4))) AS volume_gb by idx yearmonthday
| appendpipe [| stats avg(volume_gb) as volume_gb by idx | eval yearmonthday="ZZZZ" ]
| chart sum(volume_gb) over idx by yearmonthday
| sort -ZZZZ | rename "ZZZZ" as "Average GB"
``````
Motivator

Hello @antb,

Please add below query at the end of your current search instead of using `addtotals` command.

``````| appendpipe [| stats avg(*) as * | eval idx="Avg usage"]
``````

Hope this helps!!!

State of Splunk Careers