Trending license usage

rmorlen · ‎01-31-2013

We have a summary index where we collect daily license usage. We have a chart that can show me the daily usage for the last few months.

I would like to have a trendline that shows the usage over the past few months. I would like to only include Monday-Friday (or only exclude weekends).

I chart the following (summary_admin is our summary index):

index=summary_admin earliest=-4mon@mon latest=@d | timechart useother="f" span=1d max(GB) by orig_sourcetype | addtotals fieldname=GBTotal | timechart span=1w avg(GBTotal) as "Average", max(GBTotal) as "Max", min(GBTotal) as "Min"

Does ok but would be better by eliminating weekends. (I also need to tweak the span options.)

Thanks.

yannK · ‎01-31-2013

check the automatic date fields like date_wday
and use it as an eval or where condition to exclude or turn into zero.

| eval GB=if(date_wday="saturday" OR date_wday="sunday",0)

rmorlen · ‎01-31-2013

Thanks for the input. Setting the values for Sat and Sun to 0 skew the averages, min, and max. I really want to completely ignore them.

Trending license usage

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Join the Conversation

Trending license usage

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series