What's the average size for a log file?

nmensah · ‎03-14-2016

Hello everyone. I'm just trying to get a ball park estimate here. Granted everything is set to default, what do you think is the general log file size for the following logs:

Window 2012 Server log size:
Unix Server log size:
ESX log size:

skoelpin · ‎03-14-2016

Size is relative to what you're doing. In one index we have very little log data so I allow multiple lines to combine into one which makes it much easier to read compared to having 1 line per single lined event which could get messy if you have a high frequency of them. In another index we have web service calls so the event size is the start of the xml request to the end of the xml reqest, then the start of the xml response to the end of the xml response. So it will vary depending on what your ingesting and preference..

TIP!
You can edit the event size adding/modifying a stanza to your props.conf file on the indexer

http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Indexmulti-lineevents

martin_mueller · ‎03-14-2016

There is no generic average that makes sense to use without any context, activity on the servers matters.

Grab a free copy of Splunk, install on some machine, connect logs, wait for a few days, measure what you have.

lguinn2 · ‎03-14-2016

I second Martin's answer. Also note that you have control, in most cases, of how large log files can become before they roll/rotate. On many Linux servers, the utility that controls this is called logrotate.

For best performance and managing disk space, I would probably roll my log files at 5BM or even less. Just be sure to keep at least the current log and the previous log.

What's the average size for a log file?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms