All right, I've given up googling. I can't find the answer to this simple question, I hope you can help me out:
I have a nice search that lists all the indexes and their license consumption. This works fine:
index=_internal source="*license_usage.log*" type=Usage
| eval yearmonthday=strftime(_time, "%Y%m%d")
| eval yearmonth=strftime(_time, "%Y%m%d")
| stats sum(b) AS volume_b by idx yearmonthday yearmonth
| eval MB=round(volume_b/1024/1024,2)
| chart sum(MB) over yearmonth by idx
I now want to filter this table to show ONLY ONE of the indexes, and then create a graph of how it evolved over time.
I cannot for the life of me find a way to exclude all other indexes from the search and just leave one.
So any of these could solve my issue:
thanks a lot.
I'm quite new to this, but I believe if you add "idx=[your_index]" on the first line it should filter the results to just that index.
For example:
index=_internal source="*license_usage.log*" type=Usage idx=main
...
then if you want to graph it you just go into the Visualization tab and choose a Line Chart for example.
hey, this is very simple there is a ready-made query for in Licensing » License Usage Reporting » Previous 30 days » split_by index
do open in search and customize the query only for one index
index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" idx=<index_name> | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
so idx=<index_name>
<index_name> is the name of the index that you want to find.
Also if you want to stick to your query then you can do the same for your query as well.
index=_internal source="*license_usage.log*" type=Usage idx=<index_name>
| eval yearmonthday=strftime(_time, "%Y%m%d")
| eval yearmonth=strftime(_time, "%Y%m%d")
| stats sum(b) AS volume_b by idx yearmonthday yearmonth
| eval MB=round(volume_b/1024/1024,2)
| chart sum(MB) over yearmonth by idx
let me know if this helps!
I'm quite new to this, but I believe if you add "idx=[your_index]" on the first line it should filter the results to just that index.
For example:
index=_internal source="*license_usage.log*" type=Usage idx=main
...
then if you want to graph it you just go into the Visualization tab and choose a Line Chart for example.