Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change Column Color If Over Threshhold - Splunk License

aferone
Builder
‎07-23-2014 06:47 AM

I've looked at this link:

http://answers.splunk.com/answers/7228/change-column-color-if-over-a-range

However, I am trying to make a chart to show our Splunk license overages (past 30 days, span of 1 day). I'm not sure how to use the timechart spanning capabilities (1 day) with the existing method in the link.

Any help is appreciated, and thanks!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

strive
Influencer
‎07-23-2014 10:30 AM

In that example before stats use bucket. Edited Search is below

Your base search | bucket _time span=1d 
| stats count by _time
| eval high=if(count>1000,count,0)
| eval low=count-high
| fields _time,high,low

Include earliest and latest searchtime modifiers in your base search

Check if this works

View solution in original post

Reply
Solved! Jump to solution
Solution

strive
Influencer
‎07-23-2014 10:30 AM

In that example before stats use bucket. Edited Search is below

Your base search | bucket _time span=1d 
| stats count by _time
| eval high=if(count>1000,count,0)
| eval low=count-high
| fields _time,high,low

Include earliest and latest searchtime modifiers in your base search

Check if this works

Reply
Solved! Jump to solution

aferone
Builder
‎07-25-2014 08:38 AM

Thank you!

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎07-24-2014 07:50 AM

Here you go
index=_internal source=*metrics.log group="per_index_thruput" | timechart span=1d sum(kb) as TotalKB | eval high=if(TotalKB>1000,TotalKB,0) | eval low=TotalKB-high | fields - TotalKB

More information at: http://blogs.splunk.com/2008/03/13/digging-into-metrics-log/

You can do some math and convert it into GB if you need.
eval TotalGB=TotalKB/1048576

Include earliest and latest search time modifiers as per your needs.

0 Karma
Reply
Solved! Jump to solution

aferone
Builder
‎07-24-2014 07:14 AM

It's Splunk internal data:

index=internal source=*metrics.log group=per_index_thruput series!=*

Using the "kb" field

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎07-24-2014 07:11 AM

Can you post some sample data. That will help us to help you in a better way.

0 Karma
Reply
Solved! Jump to solution

aferone
Builder
‎07-24-2014 06:55 AM

The problem is I am not counting events. I am adding up the "kb" field in the metrics to determine how much data we logged in a day. The stats command doesn't allow me to use a varible, it seems.

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎07-23-2014 10:39 AM

I tried one more way, that is

Your base search | timechart span=1d count | eval high=if(count>1000,count,0) | eval low=count-high | fields - count

Even this works.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...