All right, I've given up googling. I can't find the answer to this simple question, I hope you can help me out:
I have a nice search that lists all the indexes and their license consumption. This works fine:
index=_internal source="*license_usage.log*" type=Usage
| eval yearmonthday=strftime(_time, "%Y%m%d")
| eval yearmonth=strftime(_time, "%Y%m%d")
| stats sum(b) AS volume_b by idx yearmonthday yearmonth
| eval MB=round(volume_b/1024/1024,2)
| chart sum(MB) over yearmonth by idx
I now want to filter this table to show ONLY ONE of the indexes, and then create a graph of how it evolved over time. I cannot for the life of me find a way to exclude all other indexes from the search and just leave one.
So any of these could solve my issue:
How to filter results from an already working search.
How to make a graph that shows the evolution of license consumption of a specific index.
thanks a lot.
... View more