Solved: Re: size of a log event

sanju005ind · ‎06-08-2010

is there a query to get the size of a log event (how big the event is inside splunk?) I know you can get index sizes, just want to try to break it up a bit more. I can't find a field that is "size of log entry".

Lowell · ‎06-14-2010

You should be able to use the eval command with the len() function. So you could look at high and low markers per sourcetype with a search like this:

| eval raw_len=len(_raw) | stats p10(raw_len), p90(raw_len) by sourcetype

Note: You asked about the "size" of your event. However, the term "size" is a bit ambigious. This example shows you the number of characters in the _raw field, which can be different from the number of bytes used to store the _raw field in the case of unicode characters.)

View solution in original post

ckurtz · ‎08-08-2014

p10 and p90 return the 10th and 90th percentile values1

aymericbrun · ‎05-19-2011

What does it returns exactly ? What are the columns p10 and p90 ?? Is it the size in Mo ?

Lowell · ‎06-14-2010

You should be able to use the eval command with the len() function. So you could look at high and low markers per sourcetype with a search like this:

| eval raw_len=len(_raw) | stats p10(raw_len), p90(raw_len) by sourcetype

Note: You asked about the "size" of your event. However, the term "size" is a bit ambigious. This example shows you the number of characters in the _raw field, which can be different from the number of bytes used to store the _raw field in the case of unicode characters.)

size of a log event

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?