Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Query Help: Number of Events per Event Code and Total size of those events

adalbor
Builder
‎07-09-2019 11:38 AM

Hey All,

I am trying to calculate the number of events per EventCode along with the total size in kb/mb of all events for that EventCode in a time period.

I was hoping to table that data by Event Code.

This is what I have so far but I am struggling with getting a count of each EventCode and listing the sizing in a table.

index=wineventlog EventCode=4624
| fields _raw
| eval esize=len(_raw)
| stats count as count avg(esize) as avg
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)
| stats values(kb) as KB, values(mb) AS MB

This works for a single event code but I need to list all EventCodes and how much storage each are using in total.

Any help would be great!

Thank you!

Andrew

Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎07-09-2019 11:45 AM

can you try something like this? if i'm understanding what you're looking for, you just need to add in EventCode to your fields and stats commands. 

index=wineventlog 
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg 
| eval kb=bytes/1024 
| eval mb=round(kb/1024,2) 
| stats values(kb) as KB, values(mb) AS MB by EventCode

View solution in original post

Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎07-09-2019 11:45 AM

can you try something like this? if i'm understanding what you're looking for, you just need to add in EventCode to your fields and stats commands. 

index=wineventlog 
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg 
| eval kb=bytes/1024 
| eval mb=round(kb/1024,2) 
| stats values(kb) as KB, values(mb) AS MB by EventCode
Reply
Solved! Jump to solution

adalbor
Builder
‎07-09-2019 11:57 AM

Thats super close to what I need. Was hoping to add the number of events per event code to that.

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎07-09-2019 01:34 PM

just add in sum(count) as events to the last stats command. think that should do it.

Reply
Solved! Jump to solution

adalbor
Builder
‎07-10-2019 05:46 AM

Putting that at the end of my last stats command doesn't appear to work. The search returns no results when using that.

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎07-10-2019 06:05 AM

...| stats sum(count) as events values(kb) as KB, values(mb) AS MB by EventCode doesn’t work?

Reply
Solved! Jump to solution

adalbor
Builder
‎07-10-2019 06:50 AM

My hero! Worked perfectly now thank you!

index=wineventlog
| fields _raw EventCode
| eval esize=len(_raw)
| stats count as count avg(esize) as avg by EventCode
| eval bytes=count*avg
| eval kb=bytes/1024
| eval mb=round(kb/1024,2)

| eval gb=round(kb/1024/1024,2)
| stats sum(count) as events values(mb) AS MB, values(gb) as GB by EventCode

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...