This might help
index=_internal sourcetype=splunkd group=per_host_thruput | timechart sum(kb) as totalkb by series limit=0
This might help
index=_internal sourcetype=splunkd group=per_host_thruput | timechart sum(kb) as totalkb by series limit=0
This is good, but it gives the average per event. I need aggregate average per day.
I combined yours with the elements here: http://answers.splunk.com/answers/79026/average-count-by-day.html
That worked out nicely. Final query looks like this:
index=_internal sourcetype=splunkd group=per_host_thruput earliest=-1mon@mon latest=@mon | bucket _time span=1d | stats sum(kb) as total by series,_time | stats avg(total) as average by series
|eval averageMB=round(average/1024,2)
|fields - average
|rename series as "Host Server",averageMB as "Average size per day in MB"
So while this report is nice, It shows only 31 hosts as belonging to the series
field. We have 57 hosts overall. Why would I not see them all in this report?
Hi feickertmd,
use the license usage report for this, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/AboutSplunksLicenseUsageReportView
cheers, MuS