topic Re: Search Query Help: Number of Events per Event Code and Total size of those events in Splunk Search https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382451#M111750 <P>Thats super close to what I need. Was hoping to add the number of events per event code to that.</P> Tue, 09 Jul 2019 18:57:45 GMT adalbor 2019-07-09T18:57:45Z Search Query Help: Number of Events per Event Code and Total size of those events https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382449#M111748 <P>Hey All,</P> <P>I am trying to calculate the number of events per EventCode along with the total size in kb/mb of all events for that EventCode in a time period.</P> <P>I was hoping to table that data by Event Code.</P> <P>This is what I have so far but I am struggling with getting a count of each EventCode and listing the sizing in a table.</P> <P>index=wineventlog EventCode=4624<BR /> | fields _raw <BR /> | eval esize=len(_raw) <BR /> | stats count as count avg(esize) as avg <BR /> | eval bytes=count*avg <BR /> | eval kb=bytes/1024 <BR /> | eval mb=round(kb/1024,2) <BR /> | stats values(kb) as KB, values(mb) AS MB</P> <P>This works for a single event code but I need to list all EventCodes and how much storage each are using in total.</P> <P>Any help would be great!</P> <P>Thank you!</P> <P>Andrew</P> Wed, 30 Sep 2020 01:16:10 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382449#M111748 adalbor 2020-09-30T01:16:10Z Re: Search Query Help: Number of Events per Event Code and Total size of those events https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382450#M111749 <P>can you try something like this? if i'm understanding what you're looking for, you just need to add in EventCode to your fields and stats commands. </P> <PRE><CODE>index=wineventlog | fields _raw EventCode | eval esize=len(_raw) | stats count as count avg(esize) as avg by EventCode | eval bytes=count*avg | eval kb=bytes/1024 | eval mb=round(kb/1024,2) | stats values(kb) as KB, values(mb) AS MB by EventCode </CODE></PRE> Tue, 09 Jul 2019 18:45:54 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382450#M111749 cmerriman 2019-07-09T18:45:54Z Re: Search Query Help: Number of Events per Event Code and Total size of those events https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382451#M111750 <P>Thats super close to what I need. Was hoping to add the number of events per event code to that.</P> Tue, 09 Jul 2019 18:57:45 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382451#M111750 adalbor 2019-07-09T18:57:45Z Re: Search Query Help: Number of Events per Event Code and Total size of those events https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382452#M111751 <P>just add in <CODE>sum(count) as events</CODE> to the last stats command. think that should do it.</P> Tue, 09 Jul 2019 20:34:51 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382452#M111751 cmerriman 2019-07-09T20:34:51Z Re: Search Query Help: Number of Events per Event Code and Total size of those events https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382453#M111752 <P>Putting that at the end of my last stats command doesn't appear to work. The search returns no results when using that.</P> Wed, 10 Jul 2019 12:46:04 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382453#M111752 adalbor 2019-07-10T12:46:04Z Re: Search Query Help: Number of Events per Event Code and Total size of those events https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382454#M111753 <P><CODE>...| stats sum(count) as events values(kb) as KB, values(mb) AS MB by EventCode</CODE> doesn’t work?</P> Wed, 10 Jul 2019 13:05:03 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382454#M111753 cmerriman 2019-07-10T13:05:03Z Re: Search Query Help: Number of Events per Event Code and Total size of those events https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382455#M111754 <P>My hero! Worked perfectly now thank you!</P> <P>index=wineventlog <BR /> | fields _raw EventCode<BR /> | eval esize=len(_raw)<BR /> | stats count as count avg(esize) as avg by EventCode<BR /> | eval bytes=count*avg <BR /> | eval kb=bytes/1024<BR /> | eval mb=round(kb/1024,2)<BR /><BR /> | eval gb=round(kb/1024/1024,2) <BR /> | stats sum(count) as events values(mb) AS MB, values(gb) as GB by EventCode</P> Wed, 30 Sep 2020 01:16:34 GMT https://community.splunk.com/t5/Splunk-Search/Search-Query-Help-Number-of-Events-per-Event-Code-and-Total-size/m-p/382455#M111754 adalbor 2020-09-30T01:16:34Z