Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Average Index License Deviation Over The Past Month - Search Check

paimonsoror
Builder
‎12-16-2016 07:49 AM

Hi Folks;

I am looking to get the deviation of license usage for each particular index over a 30 day period. My hope is to use this data to forcast the estimated max per month that a particular group (index) may use. I have the following basic search, but was hoping to get an extra set of eyes to make sure my math is correct:

earliest=-30d@d latest=@d  index=_internal source=*license_usage.log* type=Usage idx="*" | stats sum(b) AS Bytes stdev(b) AS Deviation by idx | eval GB = Bytes/1024/1024/1024 | eval DevMB = Deviation/1024/1024 |  eval "Daily Avg Usage" = GB/30 | rename idx as Index | table Index "Daily Avg Usage" "DevMB"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎12-16-2016 08:23 AM

You might want to consider distinguishing between days of the week, or weekdays versus weekends, depending on what kind of operation you are dealing with. Here is a modification to breakdown the stats by day of the week.

 earliest=-30d@d latest=@d  index=_internal source=*license_usage.log* type=Usage idx="*" 
| fields _time b idx 
| bin _time span=1d 
| stats sum(b) AS Bytes by idx _time 
| eval wday = strftime(_time, "%A")
| stats avg(Bytes) as avg sum(Bytes) as sum stdev(Bytes) as dev by idx wday
| foreach avg sum dev [eval <<FIELD>>GB = round(<<FIELD>>/1024/1024/1024, 3)]
| rename idx as Index, wday as Weekday
| fields Index Weekday avgGB sumGB devGB

View solution in original post

Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎12-16-2016 08:23 AM

You might want to consider distinguishing between days of the week, or weekdays versus weekends, depending on what kind of operation you are dealing with. Here is a modification to breakdown the stats by day of the week.

 earliest=-30d@d latest=@d  index=_internal source=*license_usage.log* type=Usage idx="*" 
| fields _time b idx 
| bin _time span=1d 
| stats sum(b) AS Bytes by idx _time 
| eval wday = strftime(_time, "%A")
| stats avg(Bytes) as avg sum(Bytes) as sum stdev(Bytes) as dev by idx wday
| foreach avg sum dev [eval <<FIELD>>GB = round(<<FIELD>>/1024/1024/1024, 3)]
| rename idx as Index, wday as Weekday
| fields Index Weekday avgGB sumGB devGB
Reply
Solved! Jump to solution

paimonsoror
Builder
‎12-16-2016 08:43 AM

Super fast response! Love it.

had to fix something, i assume you meant:
| eval wday = strftime(_time, " %w")

else i got an error on my end (6.4.2)

still getting an error though on the last eval command:
Error in 'eval' command: The expression is malformed. An unexpected character is reached at '<>/1024/1024/1024, 3)'.

0 Karma
Reply
Solved! Jump to solution

paimonsoror
Builder
‎12-16-2016 08:44 AM

Nevermind, got it, just needed to have "FIELD" in caps

THANKS!!!!

Can an admin please convert rjthibod's response to answer!

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎12-16-2016 08:44 AM

Sorry about. Good catch.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...