Hello everyone, I am trying to create a search that will tell me yesterdays total usage. We have both a dev and a production enviornment and i would like to create a search that takes the 2GB that are allocated to the dev and the 19 GB that are allocated to the production and show a percentage based off of that. Where i have ((volume/18)*100) is applied to both the dev and the prod and gives it a wrong number for the dev since i only want to divide by 2. Does anyone have any idea of how to seperate the eval statement that I have so that one is attached to dev ((volume/2)*100) and the other to production ((volume/18)*100). This will give me the proper percentages, or maybe another way to do this. Thank you,
Here is my Search:
index=_internal source=*license_usage* type=Usage | eval GB=b/1024/1024/1024 | bucket _time span=1d | stats sum(GB) AS volume by _time pool | eval percent_difference=((volume/18)*100) |fields _time pool volume percent_difference|rename _time AS Date/Time pool AS Pool volume AS Volume(GB) percent_difference AS Percent(%)| convert timeformat="%m/%d/%Y %H:%M:%S %p" ctime(Date/Time)
Updated Serach: ( Still having problem on getting the percentages to display)
index=_internal source=license_usage type=Usage | eval GB=b/1024/1024/1024| eval Percent(%)=case(type="Splunk Development",((volume/2)*100), type="auto_generated_pool_enterprise",((volume/18)*100)) | bucket _time span=1d | stats sum(GB) AS volume by _time pool |fields _time pool volume percent_difference|rename _time AS Date/Time pool AS Pool volume AS Volume(GB) percent_difference AS Percent(%)| convert timeformat="%m/%d/%Y %H:%M:%S %p" ctime(Date/Time)
... View more