Hello @ITWhisperer ,
i am trying to get the details of "the volume of data ingestion, broken down by index group"
i tried this SPL unable to get the results in the table
index=summary source="splunk-ingestion"
|dedup keepempty=t _time idx
|stats sum(ingestion_gb) as ingestion_gb by _time idx
|bin _time span=1h
|eval ingestion_gb=round(ingestion_gb,3)
|eval group_field=if(searchmatch("idx=.*micro.*group1"), "group1",searchmatch("idx=.*soft.*"), "group2", true(), "other")
|timechart limit=0 span=1d sum(ingestion_gb) as GB by group_field
We are having list of indexes like:
AZ_micro
micro
AD_micro
Az_soft
soft
AZ_soft
From the above indexes 'micro' are grouped under the name 'microgroup', while the indexes 'soft' are grouped under 'softgroup', and so on like below.
so, in the table i want to show the volume of the "groups" like
------------------------------------------
group name | volume
------------------------------------------
microgroup | <0000>
softgroup | <0000>
Your expected output doesn't have a time element so why are you using timechart, or indeed bin _time?
@ITWhisperer extremely sorry to write in the table, need time as well.
Why use bin span=1h and then use span=1d in the timechart? The bin span=1h is redundant.
What does our timechart search give you and why does it not match your requirement?