Get database Size per day and Total size of all da...

dpatiladobe · ‎02-21-2018

I would like to get o/p as below

I am using

But it give Total per row instead of combining rows or toal of database per day.

mayurr98 · ‎02-21-2018

You can try something like this

 index=xxxx sourcetype="log" "Database =" AND "Size" host=xxxxx 
 |eval date=strftime(_time, "%Y-%m-%d") 
 |eval Size_MB = replace(Size,"MB","")
 |convert num(Size_MB) as Size_MB 
 |table date Database Size_MB
 |eventstats sum(Size_MB) as Total by  date

let me know if this helps!

dpatiladobe · ‎02-22-2018

The Total value is set for all rows and not as per the above.

HiroshiSatoh · ‎02-21-2018

Try this!

index=xxxx sourcetype="log" "Database =" AND "Size" host=xxxxx 
|eval date=strftime(_time, "%Y-%m-%d") 
|eval Size_MB = replace(Size,"MB","") 
|table date Database Size_MB
|streamstats count as No by Data
|eventstats sum(size) as Total,max(No) as Max_No by  date
|eval Total=if(No=Max_No,Total,"")
|table date Database Size_MB Total

dpatiladobe · ‎02-22-2018

The Total value is set for all rows and not as per the above.

HiroshiSatoh · ‎02-23-2018

Fix to display total on the last line.
I have never done it before ...

Get database Size per day and Total size of all databases

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Get database Size per day and Total size of all databases

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!