Splunk Search

How to write a search to find how much data was indexed for a particular Eventcode?

Communicator

Hello All,

I want to have one report/search string which states how much data was indexed for particular eventcode say (EventCde=4668) in Windows Events logs in GB.

As we now we have license_usage.log for tracking the data, but here we don't have facility to break it down by any other event field.

I have the search below which says this how much data came from a particular sourcetype, but need to have that with EventCode.

index=_internal source="*license_usage.log" type=Usage idx=security st=WinEventLog:Security | eval TotalGB=round(b/1024/1024/1024,4)| table _time, TotalGB, st, idx 

Can any one help me on this?

0 Karma

Esteemed Legend

License usage is by bytes so you can just get it out of your data itself, like this:

index=* EventCode=4668 | b=len(_raw) | eval TotalGB=round(b/1024/1024/1024,4)| table _time, TotalGB, sourcetype index

It would be best to limit your index (and maybe sourcetype, too) to only those which might have EventCode fields.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!