Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

sum question

mcbradford
Contributor
‎04-04-2013 11:38 AM

I would like to analyze two different sources to determine how much data is being indexed.

index="_internal" source="*license_usage.log" s=*win*| stats count sum(b) by s | rename "sum(b)" as total_bytes | stats sum(total_bytes) | rename "sum(total_bytes)" as total | eval gb=total/1024/1024/1024

For the search above, there are 5 or 6 sources, so I want a count of the total gb used and this works.

What I really want is to be able to change the search to something like this...

index="_internal" source="*license_usage.log" s=*win* s=abc| stats count sum(b) by s | rename "sum(b)" as total_bytes | stats sum(total_bytes) | rename "sum(total_bytes)" as total | eval gb=total/1024/1024/1024

BUT, I want a sum of the s=*win* and a sum of s=abc

Ideas?

Tags (1)
0 Karma
Reply

jonuwz
Influencer
‎04-04-2013 12:26 PM

like this ?

index="_internal" source="*license_usage.log" (s=*win* OR s=abc) 
| eval s=if(s=="abc","abc","win")
| stats sum(b) as gb by s
| eval gb=gb/1024/1024/1024
Reply

jonuwz
Influencer
‎04-04-2013 03:54 PM

what systems ? where does 31 come from ? how will "per s" work given we're wilcarding win to get the sum ?

You need to be more specific with your examples

0 Karma
Reply

mcbradford
Contributor
‎04-04-2013 12:43 PM

ok - so to add to complexity....

This work great, I would like to take my count of systems per s and determine the mb used per system.

I was using something like to but I had to run a search for each group.

index="_internal" source="*license_usage.log" s=abc| stats sum(b) by s | rename "sum(b)" as total_bytes | stats sum(total_bytes) | rename "sum(total_bytes)" as total | eval gb=total/1024/1024/1024 | eval mb=total/1024/1024 | eval mb_per_system=mb/31

0 Karma
Reply
Related Topics
Stats Sum question
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...