I am trying to create a summary index which will gives us the license usage by index and sourcetype, which will be used for creating a dashboard with trends based on index and breaches per day. The process followed is
index=_internal type=Usage source="/opt/splunk/var/log/splunk/license_usage.log" |stats sum(b) as bytes by idx, st
After that I am using below query to pull out the trend for last 24hrs
index=summary search_name=savedsearch_name |stats sum(bytes) by idx |eval GB = round(bytes/1024/1024/1024, 2)
But the above query gave me wrong results. Could you please help me to sort out the mistake? Thanks in advance.
Since you (might) want to calculate trends, your summary index needs _time field and a smaller, evenly distributed summary indexing frequency. I would do something like this
Summary index search name:
index=_internal sourcetype=splunkd component=LicenseUsage type=Usage | bucket span=5m _time | stats sum(b) as bytes by _time idx st
-4m@m (allowing 4min delay to account for indexing delay
Cron Schedule :
4-59/5 * * * * (every 5 mins, starting at 4th min. Since we take a 4 min delay, your data will collected for even time blocks 0-5 mins, 5-10min etc)
You can backfill it for past period using this method: https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Managesummaryindexgapsandoverlaps#Use_t...
Now use new summary index data for your trending. Since this has correct _time value it'll honor time-range as well.