I am trying to execute the below query in Splunk Enterprise.
index=x sourcetype=y|join TABLE_NAME [|inputlookup Domain_Module_List.csv |search (Domain ="Inventory")] |eval DATA_MB =round(DATA_KB/1024,2) |eval INDEX_MB = round(INDEX_SIZE_KB/1024,2) |timechart span=1mon limit=25 sum(DATA_MB) as datamb,sum(INDEX_MB) as indexmb by Domain|foreach indexmb* datamb* [eval size<>='datamd<>'+'indexmd<>']|fields - datamd* indexmd*
Below is the result which I am getting:
_time size: Inventory size: Platform size:Financial
2017-08 1546672397.67 22240.14 745
2017-09 991610023.13 4040.69 603
Time and Domain name are the two fields which I am trying to fetch. Ideally the Domain name display should be Inventory, Platform, Financial but it is showing as size: Inventory size: Platform and size:Financial.
Could anyone please help me to get rid of "size:" from the above results.
↧