Determines the number of bytes that this event internally uses in disk storage for the values, not counting the bytes for storing the field names. This does not include the RAM usage of an event during a query, implying that aggregated events will have a size of zero.

ParameterTypeRequiredDefault ValueDescription
asstringoptional[a]_eventSize Name of output field.

[a] Optional parameters use their default value unless explicitly set.

eventSize() Examples

Search for Events by Size in Repository

Query
logscale
eventSize()
| _eventSize > 10000
Introduction

The eventSize() function is used to search for events depending on the internal disk storage usages. The function augments the event data with the event size information.

Step-by-Step
  1. Starting with the source repository events.

  2. logscale
    eventSize()

    Determines the number of bytes that events internally use in disk storage for the values (not counting the bytes for storing the field names), and returns the results in a field named _eventSize.

  3. logscale
    | _eventSize > 10000

    Searches for events that take up more than 10000 bytes in internal disk storage usage. Notice that you cannot do a direct comparison, as the function augments the event data with the event size information, rather than returning data.

  4. Event Result set.

Summary and Results

The query is used to get an overview of the disk storage usage of the different events and in this example filter on the largest ones. A high disk storage usage can cause performance issues, depending on the time range.

Track Event Size Within a Repository

Query
logscale
eventSize(as=eventSize)
|timechart(function=[max(eventSize),percentile(field=eventSize,percentiles=[50,75,90,99])])
Introduction

The eventSize() function is used to search for events depending on the internal disk storage usages. The function augments the event data with the event size information. This query shows how statistical information about events can first be determined, and then converted into a graph that shows the relative sizes.

Step-by-Step
  1. Starting with the source repository events.

  2. logscale
    eventSize(as=eventSize)

    Extracts the information about the size of each individual event using the eventSize() function.

  3. logscale
    |timechart(function=[max(eventSize),percentile(field=eventSize,percentiles=[50,75,90,99])])

    Calculates the percentile() for the eventSize field and determines which filesize is above 50%%,75%%, and 90,99%% of the overall event set, then finds the maximum size for the specified field over a set of events, and displays the returned results in a timechart.

  4. Event Result set.

Summary and Results

The query is used to show how statistical information about events can first be determined, and then converted into a graph that shows the relative sizes.