Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

help with timechart / count needed

damucka
Builder
‎04-03-2019 01:45 AM

Hello,

I would like to track the license consumption as from time to time it is 4 times higher (per day) than expected. I suspect this is because our systems are in the QEC phase and produce more logs, e.g. after someone activates additional traces/debug mode.
I am identifying the file / source type responsible for the growth using the following:

index=si_license_usage idx="mlbso" st=BWP_hanatraces | eval Gb=round(b_hourly/1024/1024/1024,12)  | bucket span=1d _time |sort -b_hourly

What comes out is that the files with the pattern indexserver are causing the most consumption. This is expected.
As they have restricted size, I would be now interested to see how often they are written / transferred to Splunk.
So I thought I would use sth. like below to get the chart of the distinct files / sources per hour:

| metadata type=sources index=mlbso sourcetype=BWP* | search source="*indexserver*" | timechart span=1h count

but the last part with timechart does not return any result, so I guess I do sth wrong.
Could you please help?

Kind Regards,
Kamil

Tags (1)
0 Karma
Reply

FrankVl
Ultra Champion
‎04-03-2019 04:36 AM

| metadata does not return an _time field. So without any further tricks, you cannot do a timechart on that. You would need to rename the relevant time field from the | metadata output to _time, before doing the timechart.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...