Yes, good catch. Typo on my part

I would actually clean it up and do like so:

index=whatever 
| fields _raw 
| eval esize=len(_raw) 
| stats count as count avg(esize) as avg 
| eval bytes=count*avg 
| eval kb=bytes/1024 
| eval mb=round(kb/1024/2014,2) 
| eval gb=round(kb/1024/1024/1024,2) 
| eval tb=round(gb/1024/1024/1024/1024,2) 
| stats values(kb) as KB, values(mb) AS MB, values(gb) AS GB, values(tb) AS TB

I added the ignore all fields except _raw to speed up the search
and i added the rounding for you

I think that the eval statements may be off kilter a bit here:
shouldn't they be:
index=mildw
| fields _raw
| eval esize=len(_raw)
| stats count as count avg(esize) as avg
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)
| eval gb=round(mb/1024,2)
| eval tb=round(gb/1024,2)
| stats values(kb) as KB, values(mb) AS MB, values(gb) AS GB, values(tb) AS TB

as the kb is bytes 1024 mb is kb/1024 etc etc...

Your calculation is wrong for mb and onwards. it should be one 1024 less

@mattlucas719

I think you have a typo in your eval mb line

| eval mb=round(kb/1024/2014,2)

Should be

| eval mb=round(kb/1024/1024,2)

i am looking for size of each event.

and it would be great,if we can get disk space for indexing.

and want find how amount of logging into Splunk

i am trying with this command but its failing

index=myindex| eval esize=len(_raw)|stats avg(esize) as avg [search index=myindex |stats count as co] | eval size=(avg*co)

Hi ,

Please give a try below command

| rest /services/data/indexes/

its not working.