Hi:
I'm new to Splunk and I've been trying to run the following query for a couple of weeks but I only get data for the current date:
sourcetype="bcoat_proxysg" action!="TCP_HIT" | eval P1=split(proxy_server,"G")|eval GW=mvindex(P1,0)|eval Gateway=if(GW = "xx1","Site1", if(GW="xx2","Site2", GW))|eventstats sum(cs_bytes) as dl by Gateway|timechart count(eval(dl/1048576)) as "Download (MBytes)" by Gateway span=24h
OR
sourcetype="bcoat_proxysg" action!="TCP_HIT" | eval P1=split(proxy_server,"G")|eval GW=mvindex(P1,0)|eval Gateway=if(GW = "xx1","DCW", if(GW="xx2","DCE", GW))|eventstats sum(cs_bytes) as dl by Gateway|bucket _time span=24h|convert timeformat="%m/%d/%Y" ctime(_time) AS c_time|chart count(eval(dl/1048576)) as "Download (MBytes)" over c_time by Gateway
In short, I'm trying to get the downloads (sc_bytes) in Megabytes (the information is provided in bytes) by Gateway per day.
Can anybody point me to what I am doing wrong?
Thanks!
... View more