Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the size (in bytes) of various common IT data event sourcetypes

maverick
Splunk Employee
Splunk Employee
‎06-08-2010 02:08 PM

I was wondering if anyone had a link to some web page that lists the sizes (in bytes) for various common IT data event source types, like Cisco ASA, Microsoft IIS, Bluecoat, WebSphere/WebLogic log4j or logback, insert_your_common_sourcetype_here, etc.

Reply

maverick
Splunk Employee
Splunk Employee
‎06-14-2010 02:34 PM

Please see this Splunk Wiki table for more details, or to add your own events and their sizes now:

http://www.splunk.com/wiki/Community:CommonEventSizes

Reply

mendesjo
Path Finder
‎10-03-2016 03:22 PM

Any idea how you would find the TOTAL size of events by sourcetype in an index?

0 Karma
Reply

maverick
Splunk Employee
Splunk Employee
‎08-31-2010 09:46 PM

Thanks! This will help a lot!

0 Karma
Reply

hexx
Splunk Employee
Splunk Employee
‎08-31-2010 07:58 PM

Here's the same search but also showing the 10th and 90th percentile for event size (in bytes) broken down by sourcetype :

  • | eval esize=len(_raw) | stats p10(esize), avg(esize), p90(esize) by sourcetype
0 Karma
Reply

hexx
Splunk Employee
Splunk Employee
‎08-31-2010 07:58 PM

If you want to check the average size in bytes of your events broken down by sourcetype, you can run the search below. Of course, feel free to replace "*" with a specific data set you want to study, and don't forget to adequately set the time frame of the search :

  • | eval esize=len(_raw) | stats avg(esize) by sourcetype
0 Karma
Reply

effem
Communicator
‎02-19-2015 07:00 AM

Isn't it simply the length of the _raw field? e.g. the value given by esize is only the number of characters.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...