Determines the number of bytes that this event internally uses in disk storage for the values, not counting the bytes for storing the field names. This does not include the RAM usage of an event during a query, implying that aggregated events will have a size of zero.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
as | string | optional[a] | _eventSize | Name of output field. |
[a] Optional parameters use their default value unless explicitly set. |
eventSize()
Examples
Search for Events by Size in Repository
Query
eventSize()
| _eventSize > 10000
Introduction
The eventSize()
function is used to search
for events depending on the internal disk storage usages. The
function augments the event data with the event size information.
Step-by-Step
Starting with the source repository events.
- logscale
eventSize()
Determines the number of bytes that events internally use in disk storage for the values (not counting the bytes for storing the field names), and returns the results in a field named _eventSize.
- logscale
| _eventSize > 10000
Searches for events that take up more than 10000 bytes in internal disk storage usage. Notice that you cannot do a direct comparison, as the function augments the event data with the event size information, rather than returning data.
Event Result set.
Summary and Results
The query is used to get an overview of the disk storage usage of the different events and in this example filter on the largest ones. A high disk storage usage can cause performance issues, depending on the time range.
Track Event Size Within a Repository
Query
eventSize(as=eventSize)
|timechart(function=[max(eventSize),percentile(field=eventSize,percentiles=[50,75,90,99])])
Introduction
The eventSize()
function is used to search
for events depending on the internal disk storage usages. The
function augments the event data with the event size information.
This query shows how statistical information about events can
first be determined, and then converted into a graph that shows
the relative sizes.
Step-by-Step
Starting with the source repository events.
- logscale
eventSize(as=eventSize)
Extracts the information about the size of each individual event using the
eventSize()
function. - logscale
|timechart(function=[max(eventSize),percentile(field=eventSize,percentiles=[50,75,90,99])])
Calculates the
percentile()
for the eventSize field and determines which filesize is above 50%%,75%%, and 90,99%% of the overall event set, then finds the maximum size for the specified field over a set of events, and displays the returned results in a timechart. Event Result set.
Summary and Results
The query is used to show how statistical information about events can first be determined, and then converted into a graph that shows the relative sizes.