How can I check event size?

chintan_shah · ‎08-11-2017

Hi,

Is there any way to determine which events takes a lot of storage/data? It will help me to bypass those events if required.

mattymo · ‎08-12-2017

Hey chintan_shah!

Check out the meta woot! app on splunkbase.

It provides many must have views for Splunk Admins, including a licensing data model that show you license usage per event:

This will allow you to monitor how much license a sourcetype/index are using per event.

Once you narrow it down you can then use a search like this to investigate the raw events

index=_internal sourcetype="splunkd"
| eval eventSize=len(_raw)
| table eventSize _raw
| sort - eventSize

and append | stats max(eventSize), avg(eventSize), min(eventSize) to keep some high level stats on your data.

- MattyMo

manish_singh_77 · ‎09-24-2019

@mmodestino_splunk

I am trying to check the license usage consumption by event pattern and trying to create a report which would say which event patterns are consuming more license.

lfedak_splunk · ‎08-11-2017

Hey @chintan_shah, did I edit your question correctly? Are you hoping to check your licensing limits? Or is this for your own storage capacity?

How can I check event size?

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?