Re: How to get average event size...

a212830 · ‎05-02-2016

Is there a quick way (metadata? tstats?) to get the average event size for my events? Querying every event would take forever...

sloshburch · ‎06-13-2016

license_usage.log shows the size of the events...I usually use that so long as none were skipped.

Runals · ‎05-03-2016

If you wanted a quick and dirty method you could do some math on the metrics logs (# events / size) but the larger your environment the less I trust the metrics log /shrug.

somesoni2 · ‎05-02-2016

AFAIK, Size of raw data is not stored in any metadata/tsidx, so only option would be to query raw data. May be run for a smaller period to avoid very long running query.

your base search | eval size=len(_raw) | stats avg(size)

twinspop · ‎05-02-2016

Yep. Event size was important to my system at one point so I set-up an accelerated data model using the same eval you have shown above. With the ADM it's easy to grab stats based on sourcetype, source, index and/or host. Once the need passed, I disabled the acceleration.

a212830 · ‎05-02-2016

Thanks. Is that bytes?

somesoni2 · ‎05-02-2016

Yes.......

How to get average event size...

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation