Hey All,
I am trying to calculate the number of events per EventCode along with the total size in kb/mb of all events for that EventCode in a time period.
I was hoping to table that data by Event Code.
This is what I have so far but I am struggling with getting a count of each EventCode and listing the sizing in a table.
index=wineventlog EventCode=4624
| fields _raw
| eval esize=len(_raw)
| stats count as count avg(esize) as avg
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)
| stats values(kb) as KB, values(mb) AS MB
This works for a single event code but I need to list all EventCodes and how much storage each are using in total.
Any help would be great!
Thank you!
Andrew
can you try something like this? if i'm understanding what you're looking for, you just need to add in EventCode to your fields and stats commands.
index=wineventlog
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)
| stats values(kb) as KB, values(mb) AS MB by EventCode
can you try something like this? if i'm understanding what you're looking for, you just need to add in EventCode to your fields and stats commands.
index=wineventlog
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)
| stats values(kb) as KB, values(mb) AS MB by EventCode
Thats super close to what I need. Was hoping to add the number of events per event code to that.
just add in sum(count) as events
to the last stats command. think that should do it.
Putting that at the end of my last stats command doesn't appear to work. The search returns no results when using that.
...| stats sum(count) as events values(kb) as KB, values(mb) AS MB by EventCode
doesn’t work?
My hero! Worked perfectly now thank you!
index=wineventlog
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)
| eval gb=round(kb/1024/1024,2)
| stats sum(count) as events values(mb) AS MB, values(gb) as GB by EventCode