How can I check event size?

chintan_shah · ‎08-11-2017

Hi,

Is there any way to determine which events takes a lot of storage/data? It will help me to bypass those events if required.

mattymo · ‎08-12-2017

Hey chintan_shah!

Check out the meta woot! app on splunkbase.

It provides many must have views for Splunk Admins, including a licensing data model that show you license usage per event:

This will allow you to monitor how much license a sourcetype/index are using per event.

Once you narrow it down you can then use a search like this to investigate the raw events

index=_internal sourcetype="splunkd"
| eval eventSize=len(_raw)
| table eventSize _raw
| sort - eventSize

and append | stats max(eventSize), avg(eventSize), min(eventSize) to keep some high level stats on your data.

- MattyMo

manish_singh_77 · ‎09-24-2019

@mmodestino_splunk

I am trying to check the license usage consumption by event pattern and trying to create a report which would say which event patterns are consuming more license.

lfedak_splunk · ‎08-11-2017

Hey @chintan_shah, did I edit your question correctly? Are you hoping to check your licensing limits? Or is this for your own storage capacity?

How can I check event size?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...