Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

sum question

mcbradford
Contributor
‎04-04-2013 11:38 AM

I would like to analyze two different sources to determine how much data is being indexed.

index="_internal" source="*license_usage.log" s=*win*| stats count sum(b) by s | rename "sum(b)" as total_bytes | stats sum(total_bytes) | rename "sum(total_bytes)" as total | eval gb=total/1024/1024/1024

For the search above, there are 5 or 6 sources, so I want a count of the total gb used and this works.

What I really want is to be able to change the search to something like this...

index="_internal" source="*license_usage.log" s=*win* s=abc| stats count sum(b) by s | rename "sum(b)" as total_bytes | stats sum(total_bytes) | rename "sum(total_bytes)" as total | eval gb=total/1024/1024/1024

BUT, I want a sum of the s=*win* and a sum of s=abc

Ideas?

Tags (1)
0 Karma
Reply

jonuwz
Influencer
‎04-04-2013 12:26 PM

like this ?

index="_internal" source="*license_usage.log" (s=*win* OR s=abc) 
| eval s=if(s=="abc","abc","win")
| stats sum(b) as gb by s
| eval gb=gb/1024/1024/1024
Reply

jonuwz
Influencer
‎04-04-2013 03:54 PM

what systems ? where does 31 come from ? how will "per s" work given we're wilcarding win to get the sum ?

You need to be more specific with your examples

0 Karma
Reply

mcbradford
Contributor
‎04-04-2013 12:43 PM

ok - so to add to complexity....

This work great, I would like to take my count of systems per s and determine the mb used per system.

I was using something like to but I had to run a search for each group.

index="_internal" source="*license_usage.log" s=abc| stats sum(b) by s | rename "sum(b)" as total_bytes | stats sum(total_bytes) | rename "sum(total_bytes)" as total | eval gb=total/1024/1024/1024 | eval mb=total/1024/1024 | eval mb_per_system=mb/31

0 Karma
Reply
Related Topics
Stats Sum question
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
li.common.scroll-to.top