Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Covert KB to MB in a chart count search.

pdantuuri0411
Explorer
‎04-30-2020 01:59 PM

I have a chart count of Index using License usage using the below search. The search works fine but how to convert the usage from KB to MB.

index=_internal source=license_usage.log type="usage" idx=* earliest_time=-7d@d | convert timeformat="%F" ctime(_time)
| chart count over idx by _time | eval Time=strftime(_time,"%m-%d")

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tauliang
Communicator
‎04-30-2020 03:26 PM

You can add an extra line in the end to flip the axes

    | transpose

View solution in original post

Reply
Solved! Jump to solution
Solution

tauliang
Communicator
‎04-30-2020 03:26 PM

You can add an extra line in the end to flip the axes

    | transpose
Reply
Solved! Jump to solution

pdantuuri0411
Explorer
‎05-04-2020 01:23 PM

Thank you. This helped few a few minor changes.

0 Karma
Reply
Solved! Jump to solution

tauliang
Communicator
‎04-30-2020 02:29 PM

Try this: divide "b" by 1024*1024=104857, you will get the usage in MB: 

index=_internal source=*.log source="license_usage.log"
type="usage" idx=* earliest_time=-7d@d
|eval UsageInMB = round(b/1048576,2) 
| convert timeformat="%F" ctime(_time)
| chart sum(UsageInMB) over idx by _time 
| eval Time=strftime(_time,"%m-%d")
Reply
Solved! Jump to solution

pdantuuri0411
Explorer
‎04-30-2020 02:35 PM

Thank you @tauliang for the reply. I tried what you just posted by it did not convert from KB to MB. below is the result I got.

i_apache_coc 4771 4608 4650 4734 4814 5102 3454
i_apache_revproxy_24 5227 4989 4156 4090 4879 4729 4845

0 Karma
Reply
Solved! Jump to solution

tauliang
Communicator
‎04-30-2020 02:56 PM

Interesting. If somehow it doesn't work for you, I suggest downloading this app

https://splunkbase.splunk.com/app/2949/

and see if it shows all the meta data correctly.

0 Karma
Reply
Solved! Jump to solution

pdantuuri0411
Explorer
‎04-30-2020 03:01 PM

Unfortunately I dont have permissions to download apps for our splunk environment.

Strange thing is, when I tried the same chart using time chart[1], I am able to retrieve data in MB. The issue was I wanted to swap X axis and Y axis, so I modified the search to use chart count. Any other suggestions?

[1]
index=_internal source=license_usage.log type="Usage" idx=* earliest_time=@w
| timechart span=1d limit=0 eval(round(sum(b)/1024/1024,3)) as MB by idx | sort -_time

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...