Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display a search result by the Log Size per field in MB, not the event count?

pavanae
Builder
‎10-01-2015 12:32 PM

Hi

I have the following search which is presently displaying the list of eventcounts by the field "category_type", but I want to see the result in log size per field instead of event count. Is it possible to see like that? If yes please suggest me a way.

index="abc"  source="/opt/jboss/server/shoe/log/server.log" |stats count by category_type

Thanks in Advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ppablo
Retired
‎10-01-2015 01:00 PM

Hi @pavanae

Is the answer on this previous post what you're looking for?
http://answers.splunk.com/answers/210689/how-to-get-license-usage-data-for-a-particular-ind-1.html

You'd just have to adapt the eval to convert to MB.

View solution in original post

Reply
Solved! Jump to solution

valiquet
Contributor
‎12-21-2018 05:36 AM

index="abc" source="/opt/jboss/server/shoe/log/server.log"|foreach * [eval size_<>=len(<>)] | stats sum(size*)

0 Karma
Reply
Solved! Jump to solution
Solution

ppablo
Retired
‎10-01-2015 01:00 PM

Hi @pavanae

Is the answer on this previous post what you're looking for?
http://answers.splunk.com/answers/210689/how-to-get-license-usage-data-for-a-particular-ind-1.html

You'd just have to adapt the eval to convert to MB.

Reply
Solved! Jump to solution

pavanae
Builder
‎10-01-2015 01:22 PM

Thanks worked Great but what if want the result in MB. How should I modify the
...|eval MB = length(_raw) |....

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎10-01-2015 03:35 PM

Just like @martin_mueller's comment in that post, but change it to convert to MB instead of GB...

 ... | eval length = length(_raw) / 1024 | ...
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
li.common.scroll-to.top