Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change Column Color If Over Threshhold - Splunk License

aferone
Builder
‎07-23-2014 06:47 AM

I've looked at this link:

http://answers.splunk.com/answers/7228/change-column-color-if-over-a-range

However, I am trying to make a chart to show our Splunk license overages (past 30 days, span of 1 day). I'm not sure how to use the timechart spanning capabilities (1 day) with the existing method in the link.

Any help is appreciated, and thanks!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

strive
Influencer
‎07-23-2014 10:30 AM

In that example before stats use bucket. Edited Search is below

Your base search | bucket _time span=1d 
| stats count by _time
| eval high=if(count>1000,count,0)
| eval low=count-high
| fields _time,high,low

Include earliest and latest searchtime modifiers in your base search

Check if this works

View solution in original post

Reply
Solved! Jump to solution
Solution

strive
Influencer
‎07-23-2014 10:30 AM

In that example before stats use bucket. Edited Search is below

Your base search | bucket _time span=1d 
| stats count by _time
| eval high=if(count>1000,count,0)
| eval low=count-high
| fields _time,high,low

Include earliest and latest searchtime modifiers in your base search

Check if this works

Reply
Solved! Jump to solution

aferone
Builder
‎07-25-2014 08:38 AM

Thank you!

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎07-24-2014 07:50 AM

Here you go
index=_internal source=*metrics.log group="per_index_thruput" | timechart span=1d sum(kb) as TotalKB | eval high=if(TotalKB>1000,TotalKB,0) | eval low=TotalKB-high | fields - TotalKB

More information at: http://blogs.splunk.com/2008/03/13/digging-into-metrics-log/

You can do some math and convert it into GB if you need.
eval TotalGB=TotalKB/1048576

Include earliest and latest search time modifiers as per your needs.

0 Karma
Reply
Solved! Jump to solution

aferone
Builder
‎07-24-2014 07:14 AM

It's Splunk internal data:

index=internal source=*metrics.log group=per_index_thruput series!=*

Using the "kb" field

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎07-24-2014 07:11 AM

Can you post some sample data. That will help us to help you in a better way.

0 Karma
Reply
Solved! Jump to solution

aferone
Builder
‎07-24-2014 06:55 AM

The problem is I am not counting events. I am adding up the "kb" field in the metrics to determine how much data we logged in a day. The stats command doesn't allow me to use a varible, it seems.

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎07-23-2014 10:39 AM

I tried one more way, that is

Your base search | timechart span=1d count | eval high=if(count>1000,count,0) | eval low=count-high | fields - count

Even this works.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...