topic license violation in Security

license violation

edwinbmiller — Mon, 28 Sep 2020 11:42:47 GMT

using the Splunk License Usage App to get breakdown of index usage by index,host,source,sourcetype
however what i would really like is usage by event_type. I'm assuming one of the reasons my index are large on the above items is because the users have setup event_type rules that are to generic and by making the rules more specific i csn cut down on index volume? Am i looking at this correctly? I'm new to splunk so please forgive the ignorance

Re: license violation

sowings — Tue, 24 Apr 2012 14:35:28 GMT

Event type rules (eventtypes.conf) are done at search time, and don't count against your indexing limit. The licensing usage only applies to raw data coming in from your log sources. If you are collecting from a large number of hosts, or large number of files, you can do searches like:

| metadata type=hosts OR | metadata type=sources

The number shown in the "events" column is the number of log events from that host (or input file). This can help to identify "noisy" hosts. You could then do a search for that host (again, or logfile) to look at the log events, to then see the contents of that log data.

Re: license violation

edwinbmiller — Wed, 25 Apr 2012 01:58:58 GMT

thanks for the clarification, so the only way to reduce usage is reduce the rate of syslogs entries being generated by chatty hosts?
It would be great if there was a way to discard unwanted syslog or other data source entries so they would not be counted against the license.
After all why should i pay for data i don't even need.
Often filtering output directly from a source is hard.

Re: license violation

sowings — Wed, 25 Apr 2012 02:07:10 GMT

You can filter out specific events (be careful that the regex is not too general!) by using the nullQueue. There are some tips here.