- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

All,
I have a bunch of different indexes, each one belonging to one of three teams. How do i create a report that will group each of the teams index usage together?
Team 1 uses:
IndexA, IndexB, IndexC
Team2 uses:
IndexD, IndexE, IndexF
Team3 uses:
IndexG, IndexH
My report currently gives me a breakdown of usage per index, but i want to group the indexes so instead of a value per index, i can get a value per team.
Current Search:
index=_internal source=*license_usage.log type=Usage | rename idx AS index | timechart span=1d eval(round(sum(b)/1024/1024/1024,2)) AS "Total GB Used" by index useother=f
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hey @JScordo,
You can use eval's case
function to make a "team indicator field" like so:
index=_internal source=*license_usage.log type=Usage
| rename idx AS index
| eval team = case(match(index, "A|B|C"), 1, match(index, "D|E|F"), 2, match(index, "G|H"), 3)
| timechart span=1d eval(round(sum(b)/1024/1024/1024,2)) AS "Total GB Used" by team useother=f
Whatever you put in the "A|B|C"
portions should be regular expressions which match the index name you're looking for.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hey @JScordo,
You can use eval's case
function to make a "team indicator field" like so:
index=_internal source=*license_usage.log type=Usage
| rename idx AS index
| eval team = case(match(index, "A|B|C"), 1, match(index, "D|E|F"), 2, match(index, "G|H"), 3)
| timechart span=1d eval(round(sum(b)/1024/1024/1024,2)) AS "Total GB Used" by team useother=f
Whatever you put in the "A|B|C"
portions should be regular expressions which match the index name you're looking for.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Perhaps use a lookup table. Use the lookup functionality to add the team field to the events and then search based on that.
You'd need a table:
Index | Team
IndexA|Team1
IndexB|Team1
IndexC|Team1
IndexD|Team2
etc
Then you'll want to add the lookup command to your search to pull in the additional team field.
For more info on this see: http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Lookup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Try like this
index=_internal source=*license_usage.log type=Usage idx="IndexA" OR idx="IndexB" OR idx="IndexC" OR idx="IndexD" OR idx="IndexE" OR idx="IndexF"OR idx="IndexF" OR idx="IndexH"
| eval Team=case(idx="IndexA" OR idx="IndexB" OR idx="IndexC","Team1", idx="IndexD" OR idx="IndexE" OR idx="IndexF","Team2", idx="IndexF" OR idx="IndexH","Team3") | timechart span=1d sum(b) by Team | foreach * [eval "<<FIELD>>=round('<<FIELD>>'/1024/1024/1024,2)]
