Description:
SPL request to display by index :
- Index name
- Index size
- Events sum, min, avg, max, perc95
- Events sum, min, avg, max, perc95 to work hours (8am-6pm)
Required:
- Splunk license
Query:
index=_internal source=*license_usage.log idx=z*
| fields b idx _time| eval GB=b/1024/1024/1024, index=idx | stats sum(GB) as "Volume GB" by index
| append extendtimerange=t
[| tstats count where index=z* by _time index span=1s
| stats min(count) AS "min EPS", avg(count) AS "avg EPS", max(count) AS "max EPS", sum(count) AS "sum evts", perc95(count) AS "perc95 EPS" by index]
| append extendtimerange=t
[| tstats count where index=z* by _time index span=1s | eval date_hour=strftime(_time, "%H")
| search date_hour>7 AND date_hour<19
| stats min(count) AS "min EPS WH", avg(count) AS "avg EPS WH", max(count) AS "max EPS WH", perc95(count) AS "perc95 EPS WH" by index]
| stats first(*) as * by index
| eval "avg EPS" = round ( 'avg EPS', 2), "perc95 EPS" = round ('perc95 EPS',2), "Volume GB" = round ('Volume GB',2) , "avg EPS WH" = round ( 'avg EPS WH', 2), "perc95 EPS WH" = round ('perc95 EPS WH',2), "sizeGB by evt"=('Volume GB'/'sum evts'), "sizeB by evt"=(('Volume GB'/'sum evts')*1024*1024*1024)
| table index, "Volume GB","sum evts","sizeGB by evt","sizeB by evt", "min EPS", "min EPS WH", "avg EPS","avg EPS WH", "perc95 EPS","perc95 EPS WH", "max EPS", "max EPS WH"
