Try this. It gives you all events within one standard deviation of the average event size:
... | eval event_len=len(_raw) | eventstats avg(event_len) as avg_size stdev(event_len) as stdev | eval lower_bound=avg_size-stdev | eval upper_bound=avg_size+stdev | where event_len>lower_bound AND event_len<upper_bound
eventstats
generates aggregates, but applies them to individual events. So every event is retained, but in this case also gets fields added for avg_size
and stdev
. You can then compare the events length to those aggregates and filter accordingly.
Try this. It gives you all events within one standard deviation of the average event size:
... | eval event_len=len(_raw) | eventstats avg(event_len) as avg_size stdev(event_len) as stdev | eval lower_bound=avg_size-stdev | eval upper_bound=avg_size+stdev | where event_len>lower_bound AND event_len<upper_bound
eventstats
generates aggregates, but applies them to individual events. So every event is retained, but in this case also gets fields added for avg_size
and stdev
. You can then compare the events length to those aggregates and filter accordingly.
Thanks emiller42, that's what I needed.
What is a medium-sized event? what did you try so far? You'll have to provide more details for the community to be able to help you.
Thanks gpradeepkumarreddy,
I tried a search like this:
* | Eval esize = len (_raw) | stats avg (esize) by source
But do not know it is correct.
I need to know the size of each event. An average size of each event in bytes.