Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Daily averages in usage over 7 days or similar...

antb
Path Finder
‎06-15-2019 11:53 AM 
index=_internal source="*license_usage.log*" type=Usage idx IN (index1,index2,index3, index4,etcindex) 
| eval yearmonthday=strftime(_time, "%m-%d-%Y") 
| stats sum(eval(round(b/1024/1024/1024,4))) AS volume_gb by idx yearmonthday 
| chart sum(volume_gb) over idx by yearmonthday | addtotals col=true fieldname="Total GB" labelfield=idx

The above works great showing me my daily index usage (have it set for the previous 7 full days)

But I would much rather print the row total as averages instead of totals while keeping the column totals. Any idea? Additionally, how can I sort this by average size descending but keeping the total row at the bottom?

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-18-2019 07:14 AM

Give this a try

index=_internal source="*license_usage.log*" type=Usage idx IN (index1,index2,index3, index4,etcindex) 
 | eval yearmonthday=strftime(_time, "%m-%d-%Y") 
 | stats sum(eval(round(b/1024/1024/1024,4))) AS volume_gb by idx yearmonthday 
 | appendpipe [| stats avg(volume_gb) as volume_gb by idx | eval yearmonthday="ZZZZ" ]
 | chart sum(volume_gb) over idx by yearmonthday 
 | sort -ZZZZ | rename "ZZZZ" as "Average GB"
 | addcoltotals labelfield=idx

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-18-2019 07:14 AM

Give this a try

index=_internal source="*license_usage.log*" type=Usage idx IN (index1,index2,index3, index4,etcindex) 
 | eval yearmonthday=strftime(_time, "%m-%d-%Y") 
 | stats sum(eval(round(b/1024/1024/1024,4))) AS volume_gb by idx yearmonthday 
 | appendpipe [| stats avg(volume_gb) as volume_gb by idx | eval yearmonthday="ZZZZ" ]
 | chart sum(volume_gb) over idx by yearmonthday 
 | sort -ZZZZ | rename "ZZZZ" as "Average GB"
 | addcoltotals labelfield=idx
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-18-2019 07:11 AM

Hello @antb,

Please add below query at the end of your current search instead of using addtotals command.

| appendpipe [| stats avg(*) as * | eval idx="Avg usage"]

Hope this helps!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...