We are using Splunk 6.0.1, and I found a search that generates license usage by host:
index=_internal source=*license_usage.log type=Usage | stats sum(b) as bytes by h | eval MB = round(bytes/1024/1024,1) | fields h MB | rename h as host | sort -MB
What I'd like to do is extend it further to 24 hour spans. The closest I've come is breaking it down by day:
index=_internal source=*license_usage.log type=Usage | eval MB = round(b/1024/1024,1) | timechart per_day(MB) by h span=24h
...but the end always shows today's stats looking much lower because there isn't enough data.
Is there a way to get per_day to start at the current time rather than midnight?
... View more