Category Archives: Splunk

假設是要取得目前使用量 index=internal source=*metrics.log group=per_index_thruput NOT (series=* OR series=*summary) starttime=02/07/2013:00:00:00 | timechart span=1d sum(eval(kb/1024)) AS “MB indexed” by series 基本上就是限制starttime的起始為當日的00:00:00 (starttime format為 %m/%d/%Y:%H:%M:%S) 如果是要取得最近幾天的License Usage index=_internal source=*license_usage.log type=RolloverSummary earliest=-7d | eval GB = b/1024/1024/1024 | eval _time = _time – 43200 … Continue reading →