How to search by _size metadata

Comments

2 comments

  • Avatar
    Caleb Fogleman
    Hey Mikey, This can be done successfully using the "where" operator: _collector="myCollectorName" | where _size>5000 For more information on collection sizes, I would suggest using aggregators like sum(), avg(), min(), and max(). For instance, to view stats on all collectors for a given time range, sorted by average message size: * | avg(_size) as avgsize, min(_size) as minsize, max(_size) as maxsize by _collector | sort by avgsize Hope this helps!
    0
    Comment actions Permalink
  • Avatar
    Mikey Fordyce
    Thank you!
    0
    Comment actions Permalink

Please sign in to leave a comment.