Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change Column Color If Over Threshhold - Splunk License

aferone
Builder
‎07-23-2014 06:47 AM

I've looked at this link:

http://answers.splunk.com/answers/7228/change-column-color-if-over-a-range

However, I am trying to make a chart to show our Splunk license overages (past 30 days, span of 1 day). I'm not sure how to use the timechart spanning capabilities (1 day) with the existing method in the link.

Any help is appreciated, and thanks!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

strive
Influencer
‎07-23-2014 10:30 AM

In that example before stats use bucket. Edited Search is below

Your base search | bucket _time span=1d 
| stats count by _time
| eval high=if(count>1000,count,0)
| eval low=count-high
| fields _time,high,low

Include earliest and latest searchtime modifiers in your base search

Check if this works

View solution in original post

Reply
Solved! Jump to solution
Solution

strive
Influencer
‎07-23-2014 10:30 AM

In that example before stats use bucket. Edited Search is below

Your base search | bucket _time span=1d 
| stats count by _time
| eval high=if(count>1000,count,0)
| eval low=count-high
| fields _time,high,low

Include earliest and latest searchtime modifiers in your base search

Check if this works

Reply
Solved! Jump to solution

aferone
Builder
‎07-25-2014 08:38 AM

Thank you!

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎07-24-2014 07:50 AM

Here you go
index=_internal source=*metrics.log group="per_index_thruput" | timechart span=1d sum(kb) as TotalKB | eval high=if(TotalKB>1000,TotalKB,0) | eval low=TotalKB-high | fields - TotalKB

More information at: http://blogs.splunk.com/2008/03/13/digging-into-metrics-log/

You can do some math and convert it into GB if you need.
eval TotalGB=TotalKB/1048576

Include earliest and latest search time modifiers as per your needs.

0 Karma
Reply
Solved! Jump to solution

aferone
Builder
‎07-24-2014 07:14 AM

It's Splunk internal data:

index=internal source=*metrics.log group=per_index_thruput series!=*

Using the "kb" field

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎07-24-2014 07:11 AM

Can you post some sample data. That will help us to help you in a better way.

0 Karma
Reply
Solved! Jump to solution

aferone
Builder
‎07-24-2014 06:55 AM

The problem is I am not counting events. I am adding up the "kb" field in the metrics to determine how much data we logged in a day. The stats command doesn't allow me to use a varible, it seems.

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎07-23-2014 10:39 AM

I tried one more way, that is

Your base search | timechart span=1d count | eval high=if(count>1000,count,0) | eval low=count-high | fields - count

Even this works.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...