Splunk Search

How to do search for medium-sized events in splunk?

jfeitosa
Path Finder

I would like some help from you to do a search for medium-sized events in splunk? Please help me.

Tks.

Tags (3)
0 Karma
1 Solution

emiller42
Motivator

Try this. It gives you all events within one standard deviation of the average event size:

... | eval event_len=len(_raw) | eventstats avg(event_len) as avg_size stdev(event_len) as stdev | eval lower_bound=avg_size-stdev | eval upper_bound=avg_size+stdev | where event_len>lower_bound AND event_len<upper_bound

eventstats generates aggregates, but applies them to individual events. So every event is retained, but in this case also gets fields added for avg_size and stdev. You can then compare the events length to those aggregates and filter accordingly.

View solution in original post

emiller42
Motivator

Try this. It gives you all events within one standard deviation of the average event size:

... | eval event_len=len(_raw) | eventstats avg(event_len) as avg_size stdev(event_len) as stdev | eval lower_bound=avg_size-stdev | eval upper_bound=avg_size+stdev | where event_len>lower_bound AND event_len<upper_bound

eventstats generates aggregates, but applies them to individual events. So every event is retained, but in this case also gets fields added for avg_size and stdev. You can then compare the events length to those aggregates and filter accordingly.

jfeitosa
Path Finder

Thanks emiller42, that's what I needed.

0 Karma

pradeepkumarg
Influencer

What is a medium-sized event? what did you try so far? You'll have to provide more details for the community to be able to help you.

jfeitosa
Path Finder

Thanks gpradeepkumarreddy,

I tried a search like this:
* | Eval esize = len (_raw) | stats avg (esize) by source

But do not know it is correct.

I need to know the size of each event. An average size of each event in bytes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...