Re: Splunk Ingestion by Day

scout29 · ‎07-24-2024

I am trying to create a bar chart that shows the total daily splunk ingestion (in TB) by day for the past month. I am using the below search, but i am not able to get the |timechart to work to display the total ingestion by day. What am i missing?

index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage idx=* | stats sum(b) as usage
| eval usage=round(usage/1024/1024/1024) | eval usage = tostring(Used, "commas")

scelikok · ‎07-24-2024

There is a typo on @richgalloway's suggestion, please try below;

index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage idx=* 
| timechart span=1d sum(b) as usage
| eval usage=round(usage/1024/1024/1024) 
| eval usage = tostring(usage, "commas")

If this reply helps you an upvote and "Accept as Solution" is appreciated.

richgalloway · ‎07-24-2024

Replace stats in the query with timechart and it should work.

index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage idx=* 
| timechart span=1d sum(b) as usage
| eval usage=round(usage/1024/1024/1024) 
| eval usage = tostring(Used, "commas")

---
If this reply helps you, Karma would be appreciated.

PickleRick · ‎07-24-2024

You're doing stats aggregation to a single value. Your stats sum(b) will produce just one overall number.

gcusello · ‎07-24-2024

Hi @scout29 ,

see in the Monitoring Console App or in [Settins > License < License Conuption Report > previous 30 days] and you'll have your search.

ciao.

Giuseppe

Splunk Ingestion by Day

chart

field extraction

fields

search job inspector

stats

table

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

Splunk Ingestion by Day