sum question

mcbradford · ‎04-04-2013

I would like to analyze two different sources to determine how much data is being indexed.

index="_internal" source="*license_usage.log" s=*win*| stats count sum(b) by s | rename "sum(b)" as total_bytes | stats sum(total_bytes) | rename "sum(total_bytes)" as total | eval gb=total/1024/1024/1024

For the search above, there are 5 or 6 sources, so I want a count of the total gb used and this works.

What I really want is to be able to change the search to something like this...

index="_internal" source="*license_usage.log" s=*win* s=abc| stats count sum(b) by s | rename "sum(b)" as total_bytes | stats sum(total_bytes) | rename "sum(total_bytes)" as total | eval gb=total/1024/1024/1024

BUT, I want a sum of the s=*win* and a sum of s=abc

Ideas?

jonuwz · ‎04-04-2013

like this ?

index="_internal" source="*license_usage.log" (s=*win* OR s=abc) 
| eval s=if(s=="abc","abc","win")
| stats sum(b) as gb by s
| eval gb=gb/1024/1024/1024

jonuwz · ‎04-04-2013

what systems ? where does 31 come from ? how will "per s" work given we're wilcarding win to get the sum ?

You need to be more specific with your examples

mcbradford · ‎04-04-2013

ok - so to add to complexity....

This work great, I would like to take my count of systems per s and determine the mb used per system.

I was using something like to but I had to run a search for each group.

sum question

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies