Splunk Search

Search Query Help: Number of Events per Event Code and Total size of those events

Builder

Hey All,

I am trying to calculate the number of events per EventCode along with the total size in kb/mb of all events for that EventCode in a time period.

I was hoping to table that data by Event Code.

This is what I have so far but I am struggling with getting a count of each EventCode and listing the sizing in a table.

index=wineventlog EventCode=4624
| fields _raw
| eval esize=len(_raw)
| stats count as count avg(esize) as avg
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)
| stats values(kb) as KB, values(mb) AS MB

This works for a single event code but I need to list all EventCodes and how much storage each are using in total.

Any help would be great!

Thank you!

Andrew

Tags (3)
1 Solution
Super Champion

can you try something like this? if i'm understanding what you're looking for, you just need to add in EventCode to your fields and stats commands.

``````index=wineventlog
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)
| stats values(kb) as KB, values(mb) AS MB by EventCode
``````
Super Champion

can you try something like this? if i'm understanding what you're looking for, you just need to add in EventCode to your fields and stats commands.

``````index=wineventlog
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)
| stats values(kb) as KB, values(mb) AS MB by EventCode
``````
Builder

Thats super close to what I need. Was hoping to add the number of events per event code to that.

Super Champion

just add in `sum(count) as events` to the last stats command. think that should do it.

Builder

Putting that at the end of my last stats command doesn't appear to work. The search returns no results when using that.

Super Champion

`...| stats sum(count) as events values(kb) as KB, values(mb) AS MB by EventCode` doesn’t work?

Builder

My hero! Worked perfectly now thank you!

index=wineventlog
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)

| eval gb=round(kb/1024/1024,2)
| stats sum(count) as events values(mb) AS MB, values(gb) as GB by EventCode

Get Updates on the Splunk Community!