Splunk Search

Get database Size per day and Total size of all databases

dpatiladobe
Explorer

I would like to get o/p as below
alt text

I am using

index=xxxx sourcetype="log" "Database =" AND "Size" host=xxxxx | eval date=strftime(_time, "%Y-%m-%d") |eval Size_MB = replace(Size,"MB","") | eval Size_MB = replace(Size,"MB","") |table date Database Size_MB | addtotals

But it give Total per row instead of combining rows or toal of database per day.

Tags (1)
0 Karma

mayurr98
Super Champion

You can try something like this

 index=xxxx sourcetype="log" "Database =" AND "Size" host=xxxxx 
 |eval date=strftime(_time, "%Y-%m-%d") 
 |eval Size_MB = replace(Size,"MB","")
 |convert num(Size_MB) as Size_MB 
 |table date Database Size_MB
 |eventstats sum(Size_MB) as Total by  date

let me know if this helps!

0 Karma

dpatiladobe
Explorer

The Total value is set for all rows and not as per the above.

0 Karma

HiroshiSatoh
Champion

Try this!

index=xxxx sourcetype="log" "Database =" AND "Size" host=xxxxx 
|eval date=strftime(_time, "%Y-%m-%d") 
|eval Size_MB = replace(Size,"MB","") 
|table date Database Size_MB
|streamstats count as No by Data
|eventstats sum(size) as Total,max(No) as Max_No by  date
|eval Total=if(No=Max_No,Total,"")
|table date Database Size_MB Total
0 Karma

dpatiladobe
Explorer

The Total value is set for all rows and not as per the above.

0 Karma

HiroshiSatoh
Champion

Fix to display total on the last line.
I have never done it before ...

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...