I have the following search which is presently displaying the list of eventcounts by the field "category_type", but I want to see the result in log size per field instead of event count. Is it possible to see like that? If yes please suggest me a way.
index="abc" source="/opt/jboss/server/shoe/log/server.log" |stats count by category_type
Thanks in Advance
Is the answer on this previous post what you're looking for?
You'd just have to adapt the eval to convert to MB.
Thanks worked Great but what if want the result in MB. How should I modify the
...|eval MB = length(_raw) |....
Just like @martin_mueller's comment in that post, but change it to convert to MB instead of GB...
... | eval length = length(_raw) / 1024 | ...
index="abc" source="/opt/jboss/server/shoe/log/server.log"|foreach * [eval size_<>=len(<>)] | stats sum(size*)