Splunk Search

Search Query Help: Number of Events per Event Code and Total size of those events

adalbor
Builder

Hey All,

I am trying to calculate the number of events per EventCode along with the total size in kb/mb of all events for that EventCode in a time period.

I was hoping to table that data by Event Code.

This is what I have so far but I am struggling with getting a count of each EventCode and listing the sizing in a table.

index=wineventlog EventCode=4624
| fields _raw
| eval esize=len(_raw)
| stats count as count avg(esize) as avg
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)
| stats values(kb) as KB, values(mb) AS MB

This works for a single event code but I need to list all EventCodes and how much storage each are using in total.

Any help would be great!

Thank you!

Andrew

1 Solution

cmerriman
Super Champion

can you try something like this? if i'm understanding what you're looking for, you just need to add in EventCode to your fields and stats commands.

index=wineventlog 
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg 
| eval kb=bytes/1024 
| eval mb=round(kb/1024,2) 
| stats values(kb) as KB, values(mb) AS MB by EventCode

View solution in original post

cmerriman
Super Champion

can you try something like this? if i'm understanding what you're looking for, you just need to add in EventCode to your fields and stats commands.

index=wineventlog 
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg 
| eval kb=bytes/1024 
| eval mb=round(kb/1024,2) 
| stats values(kb) as KB, values(mb) AS MB by EventCode

adalbor
Builder

Thats super close to what I need. Was hoping to add the number of events per event code to that.

0 Karma

cmerriman
Super Champion

just add in sum(count) as events to the last stats command. think that should do it.

adalbor
Builder

Putting that at the end of my last stats command doesn't appear to work. The search returns no results when using that.

0 Karma

cmerriman
Super Champion

...| stats sum(count) as events values(kb) as KB, values(mb) AS MB by EventCode doesn’t work?

adalbor
Builder

My hero! Worked perfectly now thank you!

index=wineventlog
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)

| eval gb=round(kb/1024/1024,2)
| stats sum(count) as events values(mb) AS MB, values(gb) as GB by EventCode

Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...