Any particular uses cases based on field $Evtlen fields? How can the size of log event help?


#1

Hey Folks,
I was just wondering, as to why we have a separate field called “$EvtLen”?

I can understand that $Txlen refers to transmission length of the data transferred and makes sense in identifying data exfil, but how does $Evtlen help?

Is there a specific use case based on this field, can you guys give me some ideas for the same :sweat_smile::wink:?


#2

Hey @Loraine,

The values within the field $Evtlen refers to the size of corresponding log event. While, values within field $Txlen refers to the size of data transferred.

$Evtlen mainly helps in calculating the log volumes ingested. As far use case goes, can’t think of a specific use case for which this field may be able to contribute though… :sweat_smile: