Solved: Re: size of a log event

sanju005ind · ‎06-08-2010

is there a query to get the size of a log event (how big the event is inside splunk?) I know you can get index sizes, just want to try to break it up a bit more. I can't find a field that is "size of log entry".

Lowell · ‎06-14-2010

You should be able to use the eval command with the len() function. So you could look at high and low markers per sourcetype with a search like this:

| eval raw_len=len(_raw) | stats p10(raw_len), p90(raw_len) by sourcetype

Note: You asked about the "size" of your event. However, the term "size" is a bit ambigious. This example shows you the number of characters in the _raw field, which can be different from the number of bytes used to store the _raw field in the case of unicode characters.)

View solution in original post

ckurtz · ‎08-08-2014

p10 and p90 return the 10th and 90th percentile values1

aymericbrun · ‎05-19-2011

What does it returns exactly ? What are the columns p10 and p90 ?? Is it the size in Mo ?

Lowell · ‎06-14-2010

You should be able to use the eval command with the len() function. So you could look at high and low markers per sourcetype with a search like this:

| eval raw_len=len(_raw) | stats p10(raw_len), p90(raw_len) by sourcetype

Note: You asked about the "size" of your event. However, the term "size" is a bit ambigious. This example shows you the number of characters in the _raw field, which can be different from the number of bytes used to store the _raw field in the case of unicode characters.)

size of a log event

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation