How would I get these results by day

rmcdougal · ‎08-06-2012

I am attempting to write a license usage search and I would like to be able to see the usage for the last 7 days. Here is what I am using so far and it shows the usage just fine all added together. I would like it to be broken down by day, any ideas?

index=_internal source=license_usage pool="auto_generated_pool_enterprise" | eval GB=b/1024/1024/1024 | stats sum(GB) by pool

sideview · ‎08-06-2012

If you want to
a) end up with the data in graph form with both pool and day-of-week values, then you want to look at the chart command.

index=_internal source=license_usage pool="auto_generated_pool_enterprise" | eval GB=b/1024/1024/1024 | chart sum(GB) over date_wday by pool

b) if you dont want to graph it and you want to end up with more of a flat table where each row is a unique combination of a pool value and a day-of-week value, then you would use stats this way:

index=_internal source=license_usage pool="auto_generated_pool_enterprise" | eval GB=b/1024/1024/1024 | stats sum(GB) by date_wday pool

hth

How would I get these results by day

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Are you a member of the Splunk Community?

How would I get these results by day

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency