Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Help with search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone!
I have this serach:
index=_internal [set_local_host] source=license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | search pool="Data Hub" | timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15 | fields - _timediff | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
My question is how i can remove all under 4 gb in the results. I only want to show result that's is over 4 gb.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @amirarsalan,
Use this search:
index=_internal [`set_local_host`] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| where (b/(1024*1024*1024)) > 4
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @amirarsalan,
Use this search:
index=_internal [`set_local_host`] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| where (b/(1024*1024*1024)) > 4
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @DavidHourani
I tried your search but the results was "No results found"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you need to include the | where (b/(1024*1024*1024)) > 4 to filter on anything more than 4GB. Try moving it to the last line and replace it with bwith the volume fields that's in Bytes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this? stil the same results
index=_internal [set_local_host] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
| where (b/(1024*1024*1024)) > 4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
after this
index=_internal [set_local_host] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
One of your fields will contain the value you need to have over 4GB, give me the field name so I can give you the where clause 😄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm i don't now if i understand right but this is my serach from the first:
index=_internal [set_local_host] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
I can see my results correct . But i only want too see value over 4 gb. Don't find that field you want or how can i found it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@DavidHourani do you mean this:
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@amirarsalan, yeah. Try something replacing that with this :
foreach * [eval <>=if('<>'>(4*1024*1024*1024),round('<>'/1024/1024/1024, 3),"0"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stil not working. Error message "Error in "Eval" command: The expression is malformed. Expected"
index=_internal [set_local_host] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=if('<>'>(4*1024*1024*1024),round('<>'/1024/1024/1024, 3),"0"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry bad formatting, try this :
| foreach * [eval <<FIELD>>=if(round('<<FIELD>>'/1024/1024/1024, 3)>4,round('<<FIELD>>'/1024/1024/1024, 3),"0")]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot @DavidHourani now its working 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
awesome ! this took a while 🙂 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume the 4gb per given _time, pool, s, st, h, idx ?
You could try.. something like
index=_internal source=*license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| where (count/(1024*1024*1024)) > 4
| ... continue with rest of your logic..
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
