Determines the number of bytes that this event internally uses in disk storage for the values, not counting the bytes for storing the field names. This does not include the RAM usage of an event during a query, implying that aggregated events will have a size of zero.
Note
The eventSize() function must be used
before any aggregate function, otherwise the event size will
not be returned as zero.
eventSize() Examples
Click next to an example below to get the full details.
Search For Events by Size in Repository
Search for events of a certain size in a repository using
eventSize() function
Query
eventSize()
| _eventSize > 10000Introduction
The eventSize() function is used to search
for events depending on the internal disk storage usages. The
function augments the event data with the event size information.
Example incoming data might look like this:
| @timestamp | message | user | ip_address |
|---|---|---|---|
| 2025-10-31T10:00:00.000Z | Short log message | alice | 192.168.1.100 |
| 2025-10-31T10:01:00.000Z | Very long detailed error message with stack trace: Error at line 1234\nStack trace:\ncom.example.Class.method(Class.java:100)\ncom.example.OtherClass.otherMethod(OtherClass.java:200)\ncom.example.MainClass.main(MainClass.java:300)\nCaused by: java.lang.NullPointerException\nat com.example.Class.method(Class.java:100) | bob | 192.168.1.101 |
| 2025-10-31T10:02:00.000Z | Medium length message with some details about user activity and system status | charlie | 192.168.1.102 |
| 2025-10-31T10:03:00.000Z | Another very long message containing detailed system metrics: CPU usage: 85%, Memory: 16GB used of 32GB total, Disk usage: 75% on /dev/sda1, Network: IN=1.2GB/s OUT=800MB/s, Active connections: 1250, Thread count: 500, Active users: 3500, Cache hit ratio: 95%, Database connections: 100/150 | david | 192.168.1.103 |
| 2025-10-31T10:04:00.000Z | Brief status update | eve | 192.168.1.104 |
Step-by-Step
Starting with the source repository events.
- logscale
eventSize()Determines the number of bytes that events internally use in disk storage for the values (not counting the bytes for storing the field names), and returns the results in a field named _eventSize.
- logscale
| _eventSize > 10000Searches for events that take up more than
10000bytes in internal disk storage usage. Notice that you cannot do a direct comparison, as the function augments the event data with the event size information, rather than returning data. Event Result set.
Summary and Results
The query is used to get an overview of the disk storage usage of the different events and in this example filter on the largest ones. A high disk storage usage can cause performance issues, depending on the time range.
Sample output from the incoming example data:
| message | user | ip_address | _eventSize |
|---|---|---|---|
| Very long detailed error message with stack trace: Error at line 1234\nStack trace:\ncom.example.Class.method(Class.java:100)\ncom.example.OtherClass.otherMethod(OtherClass.java:200)\ncom.example.MainClass.main(MainClass.java:300)\nCaused by: java.lang.NullPointerException\nat com.example.Class.method(Class.java:100) | bob | 192.168.1.101 | 12500 |
| Another very long message containing detailed system metrics: CPU usage: 85%, Memory: 16GB used of 32GB total, Disk usage: 75% on /dev/sda1, Network: IN=1.2GB/s OUT=800MB/s, Active connections: 1250, Thread count: 500, Active users: 3500, Cache hit ratio: 95%, Database connections: 100/150 | david | 192.168.1.103 | 11200 |
Note that only events with an _eventSize greater
than 10000 bytes are included in the results. The
_eventSize field shows the internal storage size in
bytes for each event.
Track Event Size Within a Repository
Calculate the event size and report the relative size statistics
for each event using eventSize() function
Query
eventSize(as=eventSize)
|timeChart(function=[max(eventSize),percentile(field=eventSize,percentiles=[50,75,90,99])])Introduction
This query shows how statistical information about events can first be determined, and then converted into a graph that shows the relative sizes.
Example incoming data might look like this:
| @timestamp | message | user | ip_address |
|---|---|---|---|
| 2025-10-31T10:00:00.000Z | Short log message | alice | 192.168.1.100 |
| 2025-10-31T10:01:00.000Z | Very long detailed error message with stack trace | bob | 192.168.1.101 |
| 2025-10-31T10:02:00.000Z | Medium length message with details | charlie | 192.168.1.102 |
| 2025-10-31T10:03:00.000Z | Another very long message with metrics | david | 192.168.1.103 |
| 2025-10-31T10:04:00.000Z | Brief status | eve | 192.168.1.104 |
| 2025-10-31T10:05:00.000Z | Standard length log entry | frank | 192.168.1.105 |
| 2025-10-31T10:06:00.000Z | Extensive system report with details | grace | 192.168.1.106 |
| 2025-10-31T10:07:00.000Z | Quick update | henry | 192.168.1.107 |
| 2025-10-31T10:08:00.000Z | Detailed performance metrics and analysis | ivan | 192.168.1.108 |
| 2025-10-31T10:09:00.000Z | System notification | julia | 192.168.1.109 |
Step-by-Step
Starting with the source repository events.
- logscale
eventSize(as=eventSize)Extracts the information about the size of each individual event using the
eventSize()function. - logscale
|timeChart(function=[max(eventSize),percentile(field=eventSize,percentiles=[50,75,90,99])])Calculates the
percentile()for the eventSize field and determines which filesize is above 50%,75%, and 90,99% of the overall event set, then finds the maximum size for the specified field over a set of events, and displays the returned results in a timechart. Event Result set.
Summary and Results
The query is used to show how statistical information about events can first be determined, and then converted into a graph that shows the relative sizes.
Sample output from the incoming example data:
| _bucket | _max | _50 | _75 | _90 | _99 |
|---|---|---|---|---|---|
| 1698743400000 | 12500.0000000000000 | 3200.4022591419678 | 5800.0773414212163 | 8900.077513854012 | 11200.634566556551 |
| 1698743460000 | 11800.0000000000000 | 3100.6808775630843 | 5600.4994371767473 | 8700.077513854012 | 11000.634566556551 |
| 1698743520000 | 12200.0000000000000 | 3300.7503431765824 | 5900.4994371767473 | 9100.077513854012 | 11500.586660467782 |
Note that the output shows the maximum event size (_max) and different percentiles (_50, _75, _90, _99) for the events in each time bucket. The _bucket field contains epoch timestamps in milliseconds representing the start of each time interval.