Solved: Re: How to display a search result by the Log Size...

pavanae · ‎10-01-2015

Hi

I have the following search which is presently displaying the list of eventcounts by the field "category_type", but I want to see the result in log size per field instead of event count. Is it possible to see like that? If yes please suggest me a way.

index="abc"  source="/opt/jboss/server/shoe/log/server.log" |stats count by category_type

Thanks in Advance

ppablo · ‎10-01-2015

Hi @pavanae

Is the answer on this previous post what you're looking for?
http://answers.splunk.com/answers/210689/how-to-get-license-usage-data-for-a-particular-ind-1.html

You'd just have to adapt the eval to convert to MB.

View solution in original post

valiquet · ‎12-21-2018

index="abc" source="/opt/jboss/server/shoe/log/server.log"|foreach * [eval size_<>=len(<>)] | stats sum(size*)

ppablo · ‎10-01-2015

Hi @pavanae

Is the answer on this previous post what you're looking for?
http://answers.splunk.com/answers/210689/how-to-get-license-usage-data-for-a-particular-ind-1.html

You'd just have to adapt the eval to convert to MB.

pavanae · ‎10-01-2015

Thanks worked Great but what if want the result in MB. How should I modify the
...|eval MB = length(_raw) |....

ppablo · ‎10-01-2015

Just like @martin_mueller's comment in that post, but change it to convert to MB instead of GB...

 ... | eval length = length(_raw) / 1024 | ...

How to display a search result by the Log Size per field in MB, not the event count?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases