splunk sort events by size column in the log event

Question

Using below query to get the list of all messages having "large partition" keyword.

index="*-mycass-db" "large partition"

Gets me tons of below events, want to find events in the descending order of the size of the table (100.803MiB in this example), am ok with getting the event with the biggest size. How to sort events by size in this message? Is it possible at all? Sorry I am not much familiar with Splunk queries.

WARN  [CompactionExecutor:111575] 2021-09-22 19:49:47,738  BigTableWriter.java:211 - Writing large partition keyspacename/tablename:xxxxxxx-yyyyy-zzzz-b6d4-1f4d3893e104:DOMAINDATA:REALTIME_EVENT_DATA (100.803MiB) to sstable /data/cassandra/data/keyspacename/tablename-aaaaaaaaaaaaaaabbbbbbbbbb/mc-17858-big-Data.db
host = myhost.mydomain source = /data/cassandra/logs/system.logsourcetype = cassandra:cluster:system

RichG · Accepted Answer · 2021-09-23T13:22:43.130

1

The first step is to extract the size of the tables from the events. Then you can sort them by size.

index="*-mycass-db" "large partition"
| rex "\((?<size>\d+\.\d+)MiB"
| sort - size

edited Sep 23 '21 at 13:22

answered Sep 23 '21 at 13:11

RichG

9,063
2
18
29

splunk sort events by size column in the log event

1 Answers1