Hi Guys,
i wrote a script that reads the MetaData of Files in an NTFS Filesystem (like Creation Date, Last Access Date, Size etc.)
I got the output in Splunk and can do things like see how many Files where added per year. (I get this from the Creation Date)
index="fileindex" | eval cdt = strftime(strptime(CreationDate,"%d.%m.%Y %H:%M:%S"),"%Y") | stats count by cdt
But I want to know how big those files in Sum are... per Year.
So now I have an output like:
Year, Number of Files
And I want to have:
Year, Number of Files, Size of the Files
Can you please help? I have no clue how to manage this.
Thanks in advance!
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi PPape,
try something like this:
index="fileindex" 
| eval cdt = strftime(strptime(CreationDate,"%d.%m.%Y %H:%M:%S"),"%Y") 
| stats sum(eval(size/1024/1024)) AS mySize_in_Mb count by cdt
hope this helps ...
cheers, MuS
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi PPape,
try something like this:
index="fileindex" 
| eval cdt = strftime(strptime(CreationDate,"%d.%m.%Y %H:%M:%S"),"%Y") 
| stats sum(eval(size/1024/1024)) AS mySize_in_Mb count by cdt
hope this helps ...
cheers, MuS
This is exactly what i needed! Thank You very much!
http://pastebin.com/U7edkq2v   here is a small sample. 
Yes i have a Field Size (It's the File Size in Byte)
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Well, do you have the size of the files in your index=fileindex? If so please provide some samples....
