Hi,
I have a license search that gives me some good info, but only gives me the top 10 indexes. I'd like expand it to 20 or so, but not sure how to do it. Here's the search:
index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | search pool="auto_generated_pool_enterprise" | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | search pool="auto_generated_pool_enterprise" | eval _time=_time - 43200 | bin _time span=1d | stats latest(poolsz) AS "pool size" by _time] | fields - _timediff | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
↧