- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- How do I return AWS storage use by region/month --...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
earliest=-360d aws-description-resource( (aws_account_id="*") , (region="*") , "ec2_volumes") |convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS c_time |timechart span=1months sum(size) as total_size by region
I can get this info using the right filters in AWS cost explorer, but drives me batty because I can't seem to do it in splunk... above is the query I'm running, and I've tried many variants on the theme of aggregating by month with no success.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem was a pre-defined macro:
"aws-description-resource" macro was set up to only look at current data within the last 55 minutes, so trying to use that macro for historical data was never going to work. Instead I modified the search calling out the index vs the macro and now the data is coming in as it appears it should.
Query:
((index="aws" OR index="default") sourcetype="aws:description" aws_account_id="" region="" source="*:ec2_volumes") | eventstats latest(_time) as latest_time | eval latest_time=relative_time(latest_time,"-55m") | dedup id sortby -_time | bin _time span=1mon@mon0 | stats sum(size) by _time, region
This works!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem was a pre-defined macro:
"aws-description-resource" macro was set up to only look at current data within the last 55 minutes, so trying to use that macro for historical data was never going to work. Instead I modified the search calling out the index vs the macro and now the data is coming in as it appears it should.
Query:
((index="aws" OR index="default") sourcetype="aws:description" aws_account_id="" region="" source="*:ec2_volumes") | eventstats latest(_time) as latest_time | eval latest_time=relative_time(latest_time,"-55m") | dedup id sortby -_time | bin _time span=1mon@mon0 | stats sum(size) by _time, region
This works!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@brockwebb, is it worth to check the timestamps in splunk ? i.e. data for previous months are ingested with previous months timestamps or as a batch with single timestamp of current month?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you check if you have older data? you are looking for data 360 days ago, not sure your index supports that retention
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have all the data, problem was a pre-defined macro for AWS plugins ... we corrected. Posted answer and description. Thanks for all your help looking into this!!!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
