timechart total mb per source

arjangoos · ‎07-20-2012

I want to create a timechart line graph based on: total kb per source over time. Now I have:

index="_internal" source="*metrics.log" per_source_thruput access_log | bin _time span=1d as day | timechart sum(kb) as totalKB | streamstats sum(totalKB)

This search works but only for access_log, I want to see all sources in one graph

time size result

on 0:00 100kb 100kb

on 1:00 50kb 150kb

on 1:30 27kb 177kb

arjangoos · ‎07-23-2012

Ok thanks for your reply. But it is not an answer to my question. So if anyone knows how I can solve my problem.

yannK · ‎07-24-2012

so you can use the same search, differentiate per series. (the bucket is not necessary, timechart will to it)



index=_internal source="*metrics.log" per_source_thruput |timechart span=1d sum(kb) as totalKB by series | streamstats sum(totalKB)

the totalKB will be the total of each day added the previous days, if you want total per unique day, use |addtotals



index=_internal source="*metrics.log" per_source_thruput  |timechart span=1d sum(kb) as totalKB by series | addtotals

then click on the graph display (the third display mode)

yannK · ‎07-20-2012

Do you know that metrics.log contains only a sample of the measures (top 10), this means that you can look at speed measures, but not a volume, especially if yo have more than 10 sources...

if you want to measure precisely the volume per source, check this guide, using license_usage.log

http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

timechart total mb per source

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL