(index=_internal source="*license_usage.log" type=Usage idx=netflow) OR (index=netflow)
| eval size_bytes = case(
index="_internal", b,
index="netflow", len(_raw)
)
| eval field_name = case(
index="_internal", "netflow_internal_size",
index="netflow", "netflow_raw_size"
)
| timechart span=1d sum(size_bytes) by field_name useother=f
| fillnull value=0 netflow_internal_size netflow_raw_size
| eval difference=netflow_raw_size-netflow_internal_size
| eval ratio=netflow_raw_size/netflow_internal_size
| table _time netflow_internal_size netflow_raw_size difference ratio
index=_internal source="*license_usage.log" type=Usage idx=netflow
| eval netflow_license_size = b
| timechart span=1d sum(netflow_license_size) as netflow_license_size
| join _time [
search index=netflow
| eval netflow_raw_size = len(_raw)
| timechart span=1d sum(netflow_raw_size) as netflow_raw_size
]
| fillnull value=0 netflow_license_size netflow_raw_size
| eval difference=netflow_raw_size-netflow_license_size
| eval ratio=netflow_raw_size/netflow_license_size
| rename difference as raw-internal ratio as raw÷internal
| table _time netflow_license_size netflow_raw_size raw-internal raw÷internal
_internalのidx=netflowのb合計よりnetflowのRAWサイズ合計が大きいのは、ライセンス消費として計算されるバイト数には、netflowインデックスのメタフィールドや生データのヘッダ等、インデックス化される前に取り除かれる部分は含まれない為。
Register as a new user and use Qiita more conveniently
- You get articles that match your needs
- You can efficiently read back useful information
- You can use dark theme