Splunk Search

Average Index License Deviation Over The Past Month - Search Check

Builder

Hi Folks;

I am looking to get the deviation of license usage for each particular index over a 30 day period. My hope is to use this data to forcast the estimated max per month that a particular group (index) may use. I have the following basic search, but was hoping to get an extra set of eyes to make sure my math is correct:

earliest=-30d@d latest=@d  index=_internal source=*license_usage.log* type=Usage idx="*" | stats sum(b) AS Bytes stdev(b) AS Deviation by idx | eval GB = Bytes/1024/1024/1024 | eval DevMB = Deviation/1024/1024 |  eval "Daily Avg Usage" = GB/30 | rename idx as Index | table Index "Daily Avg Usage" "DevMB"
0 Karma
1 Solution

Champion

You might want to consider distinguishing between days of the week, or weekdays versus weekends, depending on what kind of operation you are dealing with. Here is a modification to breakdown the stats by day of the week.

 earliest=-30d@d latest=@d  index=_internal source=*license_usage.log* type=Usage idx="*" 
| fields _time b idx 
| bin _time span=1d 
| stats sum(b) AS Bytes by idx _time 
| eval wday = strftime(_time, "%A")
| stats avg(Bytes) as avg sum(Bytes) as sum stdev(Bytes) as dev by idx wday
| foreach avg sum dev [eval <<FIELD>>GB = round(<<FIELD>>/1024/1024/1024, 3)]
| rename idx as Index, wday as Weekday
| fields Index Weekday avgGB sumGB devGB

View solution in original post

Champion

You might want to consider distinguishing between days of the week, or weekdays versus weekends, depending on what kind of operation you are dealing with. Here is a modification to breakdown the stats by day of the week.

 earliest=-30d@d latest=@d  index=_internal source=*license_usage.log* type=Usage idx="*" 
| fields _time b idx 
| bin _time span=1d 
| stats sum(b) AS Bytes by idx _time 
| eval wday = strftime(_time, "%A")
| stats avg(Bytes) as avg sum(Bytes) as sum stdev(Bytes) as dev by idx wday
| foreach avg sum dev [eval <<FIELD>>GB = round(<<FIELD>>/1024/1024/1024, 3)]
| rename idx as Index, wday as Weekday
| fields Index Weekday avgGB sumGB devGB

View solution in original post

Builder

Super fast response! Love it.

had to fix something, i assume you meant:
| eval wday = strftime(_time, " %w")

else i got an error on my end (6.4.2)

still getting an error though on the last eval command:
Error in 'eval' command: The expression is malformed. An unexpected character is reached at '<>/1024/1024/1024, 3)'.

0 Karma

Builder

Nevermind, got it, just needed to have "FIELD" in caps

THANKS!!!!

Can an admin please convert rjthibod's response to answer!

0 Karma

Champion

Sorry about. Good catch.

0 Karma