- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- How to filter results of a search or show license ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All right, I've given up googling. I can't find the answer to this simple question, I hope you can help me out:
I have a nice search that lists all the indexes and their license consumption. This works fine:
index=_internal source="*license_usage.log*" type=Usage
| eval yearmonthday=strftime(_time, "%Y%m%d")
| eval yearmonth=strftime(_time, "%Y%m%d")
| stats sum(b) AS volume_b by idx yearmonthday yearmonth
| eval MB=round(volume_b/1024/1024,2)
| chart sum(MB) over yearmonth by idx
I now want to filter this table to show ONLY ONE of the indexes, and then create a graph of how it evolved over time.
I cannot for the life of me find a way to exclude all other indexes from the search and just leave one.
So any of these could solve my issue:
- How to filter results from an already working search.
- How to make a graph that shows the evolution of license consumption of a specific index.
thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm quite new to this, but I believe if you add "idx=[your_index]" on the first line it should filter the results to just that index.
For example:
index=_internal source="*license_usage.log*" type=Usage idx=main
...
then if you want to graph it you just go into the Visualization tab and choose a Line Chart for example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey, this is very simple there is a ready-made query for in Licensing » License Usage Reporting » Previous 30 days » split_by index
do open in search and customize the query only for one index
index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" idx=<index_name> | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
so idx=<index_name> <index_name> is the name of the index that you want to find.
Also if you want to stick to your query then you can do the same for your query as well.
index=_internal source="*license_usage.log*" type=Usage idx=<index_name>
| eval yearmonthday=strftime(_time, "%Y%m%d")
| eval yearmonth=strftime(_time, "%Y%m%d")
| stats sum(b) AS volume_b by idx yearmonthday yearmonth
| eval MB=round(volume_b/1024/1024,2)
| chart sum(MB) over yearmonth by idx
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm quite new to this, but I believe if you add "idx=[your_index]" on the first line it should filter the results to just that index.
For example:
index=_internal source="*license_usage.log*" type=Usage idx=main
...
then if you want to graph it you just go into the Visualization tab and choose a Line Chart for example.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
