topic Re: 100% use of my events. in Getting Data In

100% use of my events.

lufermalgo — Sun, 24 May 2020 14:27:57 GMT

Hello community.

I have a query and I don't know if what I'm thinking can be achieved and how or if Splunk already has a way to solve my question.

My question is:
How to know how many bytes and fields extracted from my events in a particular index I am taking advantage of in searches?

I would like to be able to identify if I am indexing more than what is really useful for my dashboards.

Re: 100% use of my events.

to4kawa — Sun, 24 May 2020 20:48:56 GMT

https://docs.splunk.com/Documentation/Splunk/latest/admin/Limitsconf
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

you are asking two things.which do you want to know index or search ?

Re: 100% use of my events.

gcusello — Mon, 25 May 2020 06:31:32 GMT

Hi @lufermalgo,
I think that the only way to understand if all the indexed logs (or which part of them) are useful for you is to analyze informations in your logs: fields, messages, etc...

Analyzyng this, you can understand if there are events without useful informations and then exclude them before indexing using regexes.
An example to understand: if you need to know only accesses to windows servers, you need only few EventCodes (4624, 4625, 4634, etc...) so you could exclude events e.g. with EventCode=4688 (A new process has been created).

There are two methids to filter events: you can take only some interesting events and discard the others or discard only unuseful events and take all the other events.

The way to filter events is described at https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues

Ciao.
Giuseppe