Data Ingestion volume by group

phanikumarcs · ‎02-15-2024

i am trying to get the details of "the volume of data ingestion, broken down by index group"

i tried this SPL unable to get the results in the table

index=summary source="splunk-ingestion"
|dedup keepempty=t _time idx
|stats sum(ingestion_gb) as ingestion_gb by _time idx
|bin _time span=1h
|eval ingestion_gb=round(ingestion_gb,3)
|eval group_field=if(searchmatch("idx=.*micro.*group1"), "group1",searchmatch("idx=.*soft.*"), "group2", true(), "other")
|timechart limit=0 span=1d sum(ingestion_gb) as GB by group_field

We are having list of indexes like:
AZ_micro
micro
AD_micro
Az_soft
soft
AZ_soft

From the above indexes 'micro' are grouped under the name 'microgroup', while the indexes 'soft' are grouped under 'softgroup', and so on like below.

so, in the table i want to show the volume of the "groups" like
------------------------------------------
group name | volume
------------------------------------------
microgroup | <0000>
softgroup | <0000>

ITWhisperer · ‎02-15-2024

Your expected output doesn't have a time element so why are you using timechart, or indeed bin _time?

phanikumarcs · ‎02-15-2024

@ITWhisperer extremely sorry to write in the table, need time as well.

ITWhisperer · ‎02-15-2024

Why use bin span=1h and then use span=1d in the timechart? The bin span=1h is redundant.

What does our timechart search give you and why does it not match your requirement?

Data Ingestion volume by group

other

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!