Get database Size per day and Total size of all da...

dpatiladobe · ‎02-21-2018

I would like to get o/p as below

I am using

But it give Total per row instead of combining rows or toal of database per day.

mayurr98 · ‎02-21-2018

You can try something like this

 index=xxxx sourcetype="log" "Database =" AND "Size" host=xxxxx 
 |eval date=strftime(_time, "%Y-%m-%d") 
 |eval Size_MB = replace(Size,"MB","")
 |convert num(Size_MB) as Size_MB 
 |table date Database Size_MB
 |eventstats sum(Size_MB) as Total by  date

let me know if this helps!

dpatiladobe · ‎02-22-2018

The Total value is set for all rows and not as per the above.

HiroshiSatoh · ‎02-21-2018

Try this!

index=xxxx sourcetype="log" "Database =" AND "Size" host=xxxxx 
|eval date=strftime(_time, "%Y-%m-%d") 
|eval Size_MB = replace(Size,"MB","") 
|table date Database Size_MB
|streamstats count as No by Data
|eventstats sum(size) as Total,max(No) as Max_No by  date
|eval Total=if(No=Max_No,Total,"")
|table date Database Size_MB Total

dpatiladobe · ‎02-22-2018

The Total value is set for all rows and not as per the above.

HiroshiSatoh · ‎02-23-2018

Fix to display total on the last line.
I have never done it before ...

Get database Size per day and Total size of all databases

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation