Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to count events and calculate the disk space these events use?

cboillot
Contributor
‎09-26-2018 11:07 AM

So, the first part of this is really easy.

index=active_dir
| stats count by EventCode

This will give me the a list of all the event codes, and the number of times they appear. What I am needing to do, is also report on the total drive space those events, per event code, are taking up. Like this:

|EventCode |count |size on disk|
|EventCode_1|count_of_EventCode_1|size_on_disk_of_EventCode_1|
|EventCode_2|count_of_EventCode_2|size_on_disk_of_EventCode_2|
|EventCode_3|count_of_EventCode_3|size_on_disk_of_EventCode_3|

This is where I am stuck. Anyone have any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Rob2520
Communicator
‎09-26-2018 02:00 PM

Try this

index=active_dir| fields _raw | eval eventsize=len(_raw)| stats avg(eventsize) as average_size

This gives you average size in bytes.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Rob2520
Communicator
‎09-26-2018 02:00 PM

Try this

index=active_dir| fields _raw | eval eventsize=len(_raw)| stats avg(eventsize) as average_size

This gives you average size in bytes.

0 Karma
Reply
Solved! Jump to solution

cboillot
Contributor
‎09-27-2018 06:51 AM

Not quite, and I don't think I explained myself clearly. This is what i am needing:

|EventCode|count|size on disk|
|EventCode_1|count_of_EventCode_1|size_on_disk_of_EventCode_1
|EventCode_2|count_of_EventCode_2|size_on_disk_of_EventCode_2
|EventCode_3|count_of_EventCode_3|size_on_disk_of_EventCode_3

I tried to use both stats functions, but couldn't get it to work

index=ad_6mths
| fields _raw,EventCode
|  eval eventsize=len(_raw)| stats count by EventCode, sum(eventsize)
0 Karma
Reply
Solved! Jump to solution

Rob2520
Communicator
‎09-27-2018 07:54 AM

Understood.

How about this?

index=ad_6mths| stats count as EventCodeCount by EventCode| join EventCode [ search index=ad_6mths| eval eventsize=len(_raw) | eval sizeinMB=round(eventsize/1024,2)| stats sum(sizeinMB) as TotalSizeinMB by EventCode]

This gives output in MB.

Reply
Solved! Jump to solution

cboillot
Contributor
‎09-27-2018 09:40 AM

You sir, and the others like you, make this place a great place to be.

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...