Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search Query Help: Number of Events per Event ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey All,
I am trying to calculate the number of events per EventCode along with the total size in kb/mb of all events for that EventCode in a time period.
I was hoping to table that data by Event Code.
This is what I have so far but I am struggling with getting a count of each EventCode and listing the sizing in a table.
index=wineventlog EventCode=4624
| fields _raw
| eval esize=len(_raw)
| stats count as count avg(esize) as avg
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)
| stats values(kb) as KB, values(mb) AS MB
This works for a single event code but I need to list all EventCodes and how much storage each are using in total.
Any help would be great!
Thank you!
Andrew
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you try something like this? if i'm understanding what you're looking for, you just need to add in EventCode to your fields and stats commands.
index=wineventlog
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)
| stats values(kb) as KB, values(mb) AS MB by EventCode
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you try something like this? if i'm understanding what you're looking for, you just need to add in EventCode to your fields and stats commands.
index=wineventlog
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)
| stats values(kb) as KB, values(mb) AS MB by EventCode
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats super close to what I need. Was hoping to add the number of events per event code to that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just add in sum(count) as events to the last stats command. think that should do it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Putting that at the end of my last stats command doesn't appear to work. The search returns no results when using that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
...| stats sum(count) as events values(kb) as KB, values(mb) AS MB by EventCode doesn’t work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My hero! Worked perfectly now thank you!
index=wineventlog
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)
| eval gb=round(kb/1024/1024,2)
| stats sum(count) as events values(mb) AS MB, values(gb) as GB by EventCode
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
