Solved: Can I use Pivot to show daily indexed data from Sa...

melonman · ‎10-25-2013

Hi
I am playing with Splunk 6, and trying to learn Pivot.
Now I am seeing a few data model for internal logs, but is there any useful case of pivot for those data model?
It seems very user friendly, but I am not just familiar with the data model of internal logs.

I would really appreciate if anyone could give me a sample of pivot use for internal logs or data models.

Thank you in advance..

davebrooking · ‎10-25-2013

From my limited knowledge, the following produces quantity indexed over time by sourcetype

Using the Quota Usage object from the Splunk’s Internal Server Logs – Sample Data model
For the Split Rows select _time and the appropriate size bucket you want from the Period picker
For the Split Columns select Sourcetype
In Column Values select GB indexed, and for Value select Sum

Dave

View solution in original post

davebrooking · ‎10-25-2013

From my limited knowledge, the following produces quantity indexed over time by sourcetype

Using the Quota Usage object from the Splunk’s Internal Server Logs – Sample Data model
For the Split Rows select _time and the appropriate size bucket you want from the Period picker
For the Split Columns select Sourcetype
In Column Values select GB indexed, and for Value select Sum

Dave

Can I use Pivot to show daily indexed data from Sample data model?

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation