Determines the number of bytes that this event internally uses
in disk storage for the values, not counting the bytes for
storing the field names. This does not include the RAM usage of
an event during a query, implying that aggregated events will
have a size of zero.
Click + next to an example below to get the full details.
Search for Events by Size in Repository
Search for events of a certain size in a repository using eventSize() function
Query
logscale
eventSize()|_eventSize>10000
Introduction
The eventSize() function is used to search
for events depending on the internal disk storage usages. The
function augments the event data with the event size information.
Step-by-Step
Starting with the source repository events.
logscale
eventSize()
Determines the number of bytes that events internally use in
disk storage for the values (not counting the bytes for storing
the field names), and returns the results in a field named
_eventSize.
logscale
|_eventSize>10000
Searches for events that take up more than 10000 bytes in
internal disk storage usage. Notice that you cannot do a direct
comparison, as the function augments the event data with the
event size information, rather than returning data.
Event Result set.
Summary and Results
The query is used to get an overview of the disk storage usage
of the different events and in this example filter on the
largest ones. A high disk storage usage can cause performance
issues, depending on the time range.
Track Event Size Within a Repository
Calculate the event size and report the relative size statistics for each event using eventSize() function
The eventSize() function is used to search
for events depending on the internal disk storage usages. The
function augments the event data with the event size information.
This query shows how statistical information about events can
first be determined, and then converted into a graph that shows
the relative sizes.
Step-by-Step
Starting with the source repository events.
logscale
eventSize(as=eventSize)
Extracts the information about the size of each individual event
using the eventSize() function.
Calculates the percentile() for the
eventSize field and
determines which filesize is above 50%%,75%%, and 90,99%% of the
overall event set, then finds the maximum size for the specified
field over a set of events, and displays the returned results in
a timechart.
Event Result set.
Summary and Results
The query is used to show how statistical information about
events can first be determined, and then converted into a graph
that shows the relative sizes.