Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Help with search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone!
I have this serach:
index=_internal [set_local_host] source=license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | search pool="Data Hub" | timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15 | fields - _timediff | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
My question is how i can remove all under 4 gb in the results. I only want to show result that's is over 4 gb.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @amirarsalan,
Use this search:
index=_internal [`set_local_host`] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| where (b/(1024*1024*1024)) > 4
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @amirarsalan,
Use this search:
index=_internal [`set_local_host`] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| where (b/(1024*1024*1024)) > 4
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @DavidHourani
I tried your search but the results was "No results found"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you need to include the | where (b/(1024*1024*1024)) > 4 to filter on anything more than 4GB. Try moving it to the last line and replace it with bwith the volume fields that's in Bytes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this? stil the same results
index=_internal [set_local_host] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
| where (b/(1024*1024*1024)) > 4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
after this
index=_internal [set_local_host] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
One of your fields will contain the value you need to have over 4GB, give me the field name so I can give you the where clause 😄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm i don't now if i understand right but this is my serach from the first:
index=_internal [set_local_host] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
I can see my results correct . But i only want too see value over 4 gb. Don't find that field you want or how can i found it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@DavidHourani do you mean this:
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@amirarsalan, yeah. Try something replacing that with this :
foreach * [eval <>=if('<>'>(4*1024*1024*1024),round('<>'/1024/1024/1024, 3),"0"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stil not working. Error message "Error in "Eval" command: The expression is malformed. Expected"
index=_internal [set_local_host] source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool="Data Hub"
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=15
| fields - _timediff
| foreach * [eval <>=if('<>'>(4*1024*1024*1024),round('<>'/1024/1024/1024, 3),"0"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry bad formatting, try this :
| foreach * [eval <<FIELD>>=if(round('<<FIELD>>'/1024/1024/1024, 3)>4,round('<<FIELD>>'/1024/1024/1024, 3),"0")]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot @DavidHourani now its working 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
awesome ! this took a while 🙂 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume the 4gb per given _time, pool, s, st, h, idx ?
You could try.. something like
index=_internal source=*license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| where (count/(1024*1024*1024)) > 4
| ... continue with rest of your logic..
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Splunk Observability for AI
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
