nmakb
Reputation: 1245
splunk sort events by size column in the log event
Using below query to get the list of all messages having "large partition" keyword.
index="*-mycass-db" "large partition"
Gets me tons of below events, want to find events in the descending order of the size of the table (100.803MiB in this example), am ok with getting the event with the biggest size. How to sort events by size in this message? Is it possible at all? Sorry I am not much familiar with Splunk queries.
WARN [CompactionExecutor:111575] 2021-09-22 19:49:47,738 BigTableWriter.java:211 - Writing large partition keyspacename/tablename:xxxxxxx-yyyyy-zzzz-b6d4-1f4d3893e104:DOMAINDATA:REALTIME_EVENT_DATA (100.803MiB) to sstable /data/cassandra/data/keyspacename/tablename-aaaaaaaaaaaaaaabbbbbbbbbb/mc-17858-big-Data.db
host = myhost.mydomain source = /data/cassandra/logs/system.logsourcetype = cassandra:cluster:system
Upvotes: 3
Views: 929
Answers (1)
RichG
Reputation: 9926
The first step is to extract the size of the tables from the events. Then you can sort them by size.
index="*-mycass-db" "large partition"
| rex "\((?<size>\d+\.\d+)MiB"
| sort - size
Upvotes: 1
Related Questions
- Splunk: How to check the logfile size of specific logfiles?
- Sort content of field alphabetically in splunk
- splunk query based on log stdout
- How to find duplicate log events in Splunk
- Splunk searching event logs to find values exceeding a given threshold
- Splunk: Group by certain entry in log file
- Group events by multiple fields in Splunk
- How to add custom field to events in Splunk?
- Splunk - Get Prefefined Outputs Based on the event count and event data
- Splunk Custom Log format Parsing