Solved: Convert timechart to table

jtrucks · ‎08-22-2013

I need to convert the search output from using timechart to a table so I can have only a three column display output (for my specific bubble charting needs).

The search:

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by s useother=false usenull=false

Existing output has many columns like:

_time      /path/to/file.log /path/to/otherfile.log /path/to/foo /path/to/bar
7/23/13 2.8                      1.6                             4.6                 3.9
7/24/13 3.0                      1.9                             3.9                  4.2

What I need is something like:

_time      source                        GB
7/23/13 /path/to/file.log         2.8
7/23/13 /path/to/otherfile.log 1.6
7/23/13 /path/to/foo               4.6
7/23/13 /path/to/bar               3.9
7/24/13 /path/to/file.log          3.0
7/24/13 /path/to/otherfile.log  1.9
7/24/13 /path/to/foo                3.9
7/24/13 /path/to/bar                4.2

Any help please?

Ayn · ‎08-22-2013

Use stats instead (and use bucket to create the timespans):

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | bucket _time span=1d | stats sum(GB) by _time,s

View solution in original post

Ayn · ‎08-22-2013

Use stats instead (and use bucket to create the timespans):

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | bucket _time span=1d | stats sum(GB) by _time,s

View solution in original post

linu1988 · ‎08-23-2013

The below also gives us a good info :

| rest /services/licenser/pools| where title = "Indexers"|eval Total=(used_bytes/1024/1024/1024)

jtrucks · ‎08-22-2013

Well, the formatting is hosed, but hopefully what I'm getting at is clear.