sum question

mcbradford · ‎04-04-2013

I would like to analyze two different sources to determine how much data is being indexed.

index="_internal" source="*license_usage.log" s=*win*| stats count sum(b) by s | rename "sum(b)" as total_bytes | stats sum(total_bytes) | rename "sum(total_bytes)" as total | eval gb=total/1024/1024/1024

For the search above, there are 5 or 6 sources, so I want a count of the total gb used and this works.

What I really want is to be able to change the search to something like this...

index="_internal" source="*license_usage.log" s=*win* s=abc| stats count sum(b) by s | rename "sum(b)" as total_bytes | stats sum(total_bytes) | rename "sum(total_bytes)" as total | eval gb=total/1024/1024/1024

BUT, I want a sum of the s=*win* and a sum of s=abc

Ideas?

jonuwz · ‎04-04-2013

like this ?

index="_internal" source="*license_usage.log" (s=*win* OR s=abc) 
| eval s=if(s=="abc","abc","win")
| stats sum(b) as gb by s
| eval gb=gb/1024/1024/1024

jonuwz · ‎04-04-2013

what systems ? where does 31 come from ? how will "per s" work given we're wilcarding win to get the sum ?

You need to be more specific with your examples

mcbradford · ‎04-04-2013

ok - so to add to complexity....

This work great, I would like to take my count of systems per s and determine the mb used per system.

I was using something like to but I had to run a search for each group.

sum question

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases