Solved: Help with search

amirarsalan · ‎05-26-2019

Hi everyone!

I have this serach:

index=_internal [set_local_host] source=license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | search pool="Data Hub" | timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15 | fields - _timediff | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]

My question is how i can remove all under 4 gb in the results. I only want to show result that's is over 4 gb.
Thanks in advance

DavidHourani · ‎05-27-2019

Hi @amirarsalan,

Use this search:

index=_internal [`set_local_host`] source=license_usage.log type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx 
| where (b/(1024*1024*1024)) > 4
| search pool="Data Hub" 
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15 
| fields - _timediff 
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]

Cheers,
David

View solution in original post

DavidHourani · ‎05-27-2019

Hi @amirarsalan,

Use this search:

index=_internal [`set_local_host`] source=license_usage.log type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx 
| where (b/(1024*1024*1024)) > 4
| search pool="Data Hub" 
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15 
| fields - _timediff 
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]

Cheers,
David

amirarsalan · ‎05-28-2019

Hi @DavidHourani

I tried your search but the results was "No results found"

DavidHourani · ‎05-28-2019

you need to include the | where (b/(1024*1024*1024)) > 4 to filter on anything more than 4GB. Try moving it to the last line and replace it with bwith the volume fields that's in Bytes.

amirarsalan · ‎05-28-2019

Like this? stil the same results

index=_internal [set_local_host] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
| where (b/(1024*1024*1024)) > 4

DavidHourani · ‎05-28-2019

after this
index=_internal [set_local_host] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
One of your fields will contain the value you need to have over 4GB, give me the field name so I can give you the where clause 😄

amirarsalan · ‎05-28-2019

Hmm i don't now if i understand right but this is my serach from the first:
index=_internal [set_local_host] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]

I can see my results correct . But i only want too see value over 4 gb. Don't find that field you want or how can i found it?

amirarsalan · ‎05-28-2019

@DavidHourani do you mean this:

| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]

DavidHourani · ‎05-28-2019

@amirarsalan, yeah. Try something replacing that with this :

foreach * [eval <>=if('<>'>(4*1024*1024*1024),round('<>'/1024/1024/1024, 3),"0"]

amirarsalan · ‎05-29-2019

Stil not working. Error message "Error in "Eval" command: The expression is malformed. Expected"

index=_internal [set_local_host] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=if('<>'>(4*1024*1024*1024),round('<>'/1024/1024/1024, 3),"0"]

DavidHourani · ‎05-29-2019

Sorry bad formatting, try this :

| foreach * [eval <<FIELD>>=if(round('<<FIELD>>'/1024/1024/1024, 3)>4,round('<<FIELD>>'/1024/1024/1024, 3),"0")]

amirarsalan · ‎05-29-2019

Thanks a lot @DavidHourani now its working 🙂

DavidHourani · ‎05-29-2019

awesome ! this took a while 🙂 🙂

koshyk · ‎05-27-2019

I assume the 4gb per given _time, pool, s, st, h, idx ?
You could try.. something like

index=_internal source=*license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx
| where (count/(1024*1024*1024)) > 4
| ... continue with rest of your logic..

Help with search

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...