Track Event Size Within a Repository

Calculate the event size and report the relative size statistics for each event using eventSize() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] 2[/Filter/] result{{Result Set}} repo --> 1 1 --> 2 2 --> result
logscale
eventSize(as=eventSize)
|timeChart(function=[max(eventSize),percentile(field=eventSize,percentiles=[50,75,90,99])])

Introduction

The eventSize() function is used to search for events depending on the internal disk storage usages. The function augments the event data with the event size information.

This query shows how statistical information about events can first be determined, and then converted into a graph that shows the relative sizes.

Example incoming data might look like this:

@timestampmessageuserip_address
2025-10-31T10:00:00.000ZShort log messagealice192.168.1.100
2025-10-31T10:01:00.000ZVery long detailed error message with stack tracebob192.168.1.101
2025-10-31T10:02:00.000ZMedium length message with detailscharlie192.168.1.102
2025-10-31T10:03:00.000ZAnother very long message with metricsdavid192.168.1.103
2025-10-31T10:04:00.000ZBrief statuseve192.168.1.104
2025-10-31T10:05:00.000ZStandard length log entryfrank192.168.1.105
2025-10-31T10:06:00.000ZExtensive system report with detailsgrace192.168.1.106
2025-10-31T10:07:00.000ZQuick updatehenry192.168.1.107
2025-10-31T10:08:00.000ZDetailed performance metrics and analysisivan192.168.1.108
2025-10-31T10:09:00.000ZSystem notificationjulia192.168.1.109

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] 2[/Filter/] result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    eventSize(as=eventSize)

    Extracts the information about the size of each individual event using the eventSize() function.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] 2[/Filter/] result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    |timeChart(function=[max(eventSize),percentile(field=eventSize,percentiles=[50,75,90,99])])

    Calculates the percentile() for the eventSize field and determines which filesize is above 50%,75%, and 90,99% of the overall event set, then finds the maximum size for the specified field over a set of events, and displays the returned results in a timechart.

  4. Event Result set.

Summary and Results

The query is used to show how statistical information about events can first be determined, and then converted into a graph that shows the relative sizes.

Sample output from the incoming example data:

_bucket_max_50_75_90_99
169874340000012500.00000000000003200.40225914196785800.07734142121638900.07751385401211200.634566556551
169874346000011800.00000000000003100.68087756308435600.49943717674738700.07751385401211000.634566556551
169874352000012200.00000000000003300.75034317658245900.49943717674739100.07751385401211500.586660467782

Note that the output shows the maximum event size (_max) and different percentiles (_50, _75, _90, _99) for the events in each time bucket. The _bucket field contains epoch timestamps in milliseconds representing the start of each time interval.