- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Covert KB to MB in a chart count search.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a chart count of Index using License usage using the below search. The search works fine but how to convert the usage from KB to MB.
index=_internal source=license_usage.log type="usage" idx=* earliest_time=-7d@d | convert timeformat="%F" ctime(_time)
| chart count over idx by _time | eval Time=strftime(_time,"%m-%d")
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can add an extra line in the end to flip the axes
| transpose
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. This helped few a few minor changes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this: divide "b" by 1024*1024=104857, you will get the usage in MB:
index=_internal source=*.log source="license_usage.log"
type="usage" idx=* earliest_time=-7d@d
|eval UsageInMB = round(b/1048576,2)
| convert timeformat="%F" ctime(_time)
| chart sum(UsageInMB) over idx by _time
| eval Time=strftime(_time,"%m-%d")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @tauliang for the reply. I tried what you just posted by it did not convert from KB to MB. below is the result I got.
i_apache_coc 4771 4608 4650 4734 4814 5102 3454
i_apache_revproxy_24 5227 4989 4156 4090 4879 4729 4845
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting. If somehow it doesn't work for you, I suggest downloading this app
https://splunkbase.splunk.com/app/2949/
and see if it shows all the meta data correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately I dont have permissions to download apps for our splunk environment.
Strange thing is, when I tried the same chart using time chart[1], I am able to retrieve data in MB. The issue was I wanted to swap X axis and Y axis, so I modified the search to use chart count. Any other suggestions?
[1]
index=_internal source=license_usage.log type="Usage" idx=* earliest_time=@w
| timechart span=1d limit=0 eval(round(sum(b)/1024/1024,3)) as MB by idx | sort -_time
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
