Re: How to get average event size...

a212830 · ‎05-02-2016

Is there a quick way (metadata? tstats?) to get the average event size for my events? Querying every event would take forever...

sloshburch · ‎06-13-2016

license_usage.log shows the size of the events...I usually use that so long as none were skipped.

Runals · ‎05-03-2016

If you wanted a quick and dirty method you could do some math on the metrics logs (# events / size) but the larger your environment the less I trust the metrics log /shrug.

somesoni2 · ‎05-02-2016

AFAIK, Size of raw data is not stored in any metadata/tsidx, so only option would be to query raw data. May be run for a smaller period to avoid very long running query.

your base search | eval size=len(_raw) | stats avg(size)

twinspop · ‎05-02-2016

Yep. Event size was important to my system at one point so I set-up an accelerated data model using the same eval you have shown above. With the ADM it's easy to grab stats based on sourcetype, source, index and/or host. Once the need passed, I disabled the acceleration.

a212830 · ‎05-02-2016

Thanks. Is that bytes?

somesoni2 · ‎05-02-2016

Yes.......

How to get average event size...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases