https://community.splunk.com/t5/Installation/Does-anyone-have-a-search-that-can-break-down-KBs-by-sourcetype/m-p/12931#M158 <P>Here is a search you may find helpful, it does not 100% correlate to license usage, but you can get it pretty close by filtering out internal sourcetypes.</P> <BLOCKQUOTE> <P><CODE>index=_internal sourcetype=splunkd source=*metrics* "group=per_sourcetype_thruput" NOT series="filetrackercrclog" NOT series="splunk*" NOT series="audittrail" NOT series="scheduler" NOT series="searches" NOT series="stash" | eval events=eps*kb/kbps | stats sum(events) as events sum(kb) as kb by series | eval events=round(events,0) | eval kb=round(kb,1)</CODE></P> </BLOCKQUOTE> <P>This search gives you the event count and kb by series (in this case <EM>series</EM> means <EM>sourcetype</EM>). </P> <P><EM>Note that this is assuming your are on the latest 4.0.x release or any 4.1.x release, otherwise you should take out the <CODE>NOT series="stash"</CODE> part because summary indexing does count towards your licensing in older releases.</EM></P> <P>I've run into issues trying to do meaningful things with the <CODE>kbps</CODE> metric for 2 reasons:</P> <UL> <LI>if you are looking at long-term analysis, you can't do much with it because it's already an average, so doing <CODE>avg(kbps)</CODE> further skews your number.</LI> <LI>Metrics are only recorded for series that are part of the top 10 active series. So it's likely that a sourcetype that varies in volume during the day will drop out of sight until the volume level increases again. Normally this isn't too big of a deal... (BTW, you can change the number of series to capture in <CODE>limits.conf</CODE>, look for the <CODE>metrics</CODE> stanza.)</LI> </UL> <P>If you are simply trying to get a view of activity at this moment or look for spikes, then <CODE>kbps</CODE> can be helpful, but for longer-term analysis I recommend looking at actual data indexed in terms of <CODE>kb</CODE> or <CODE>events</CODE>.</P> <P>I wish that splunk gave you some additional metrics that indicated what was counting towards your license usage, but I don't think that information exists (other than the daily <CODE>LicenseManager-Audit</CODE> message). I think this is as good as it gets in the current release.</P> Wed, 05 May 2010 20:15:45 GMT Lowell 2010-05-05T20:15:45Z https://community.splunk.com/t5/Installation/Does-anyone-have-a-search-that-can-break-down-KBs-by-sourcetype/m-p/12930#M157 <P>Does anyone have a search that can break down kbs by sourcetype?</P> Tue, 23 Jun 2020 18:44:32 GMT https://community.splunk.com/t5/Installation/Does-anyone-have-a-search-that-can-break-down-KBs-by-sourcetype/m-p/12930#M157 dcroteau 2020-06-23T18:44:32Z https://community.splunk.com/t5/Installation/Does-anyone-have-a-search-that-can-break-down-KBs-by-sourcetype/m-p/12931#M158 <P>Here is a search you may find helpful, it does not 100% correlate to license usage, but you can get it pretty close by filtering out internal sourcetypes.</P> <BLOCKQUOTE> <P><CODE>index=_internal sourcetype=splunkd source=*metrics* "group=per_sourcetype_thruput" NOT series="filetrackercrclog" NOT series="splunk*" NOT series="audittrail" NOT series="scheduler" NOT series="searches" NOT series="stash" | eval events=eps*kb/kbps | stats sum(events) as events sum(kb) as kb by series | eval events=round(events,0) | eval kb=round(kb,1)</CODE></P> </BLOCKQUOTE> <P>This search gives you the event count and kb by series (in this case <EM>series</EM> means <EM>sourcetype</EM>). </P> <P><EM>Note that this is assuming your are on the latest 4.0.x release or any 4.1.x release, otherwise you should take out the <CODE>NOT series="stash"</CODE> part because summary indexing does count towards your licensing in older releases.</EM></P> <P>I've run into issues trying to do meaningful things with the <CODE>kbps</CODE> metric for 2 reasons:</P> <UL> <LI>if you are looking at long-term analysis, you can't do much with it because it's already an average, so doing <CODE>avg(kbps)</CODE> further skews your number.</LI> <LI>Metrics are only recorded for series that are part of the top 10 active series. So it's likely that a sourcetype that varies in volume during the day will drop out of sight until the volume level increases again. Normally this isn't too big of a deal... (BTW, you can change the number of series to capture in <CODE>limits.conf</CODE>, look for the <CODE>metrics</CODE> stanza.)</LI> </UL> <P>If you are simply trying to get a view of activity at this moment or look for spikes, then <CODE>kbps</CODE> can be helpful, but for longer-term analysis I recommend looking at actual data indexed in terms of <CODE>kb</CODE> or <CODE>events</CODE>.</P> <P>I wish that splunk gave you some additional metrics that indicated what was counting towards your license usage, but I don't think that information exists (other than the daily <CODE>LicenseManager-Audit</CODE> message). I think this is as good as it gets in the current release.</P> Wed, 05 May 2010 20:15:45 GMT https://community.splunk.com/t5/Installation/Does-anyone-have-a-search-that-can-break-down-KBs-by-sourcetype/m-p/12931#M158 Lowell 2010-05-05T20:15:45Z https://community.splunk.com/t5/Installation/Does-anyone-have-a-search-that-can-break-down-KBs-by-sourcetype/m-p/12932#M159 <P>I am looking for something similar, I want to get a breakdwon by not only sourcetype, but by server. </P> <P>Ideally, I want a chart that has:</P> <P>Sourcetype Hostname Events KB </P> <P>I would take something that just has events, and not KB as well.</P> Thu, 05 Aug 2010 22:20:55 GMT https://community.splunk.com/t5/Installation/Does-anyone-have-a-search-that-can-break-down-KBs-by-sourcetype/m-p/12932#M159 tawollen 2010-08-05T22:20:55Z https://community.splunk.com/t5/Installation/Does-anyone-have-a-search-that-can-break-down-KBs-by-sourcetype/m-p/12933#M160 <P>One option is to install the "Splunk License Usage" app available here.</P> <P><A href="http://www.splunkbase.com/apps/All/4.x/App/app:Splunk+License+Usage" rel="nofollow">http://www.splunkbase.com/apps/All/4.x/App/app:Splunk+License+Usage</A></P> Thu, 19 Aug 2010 23:36:06 GMT https://community.splunk.com/t5/Installation/Does-anyone-have-a-search-that-can-break-down-KBs-by-sourcetype/m-p/12933#M160 cdthompso1 2010-08-19T23:36:06Z https://community.splunk.com/t5/Installation/Does-anyone-have-a-search-that-can-break-down-KBs-by-sourcetype/m-p/12934#M161 <P>Search relevant for this Question from the app:</P> <P>kBs Indexed in Past 24 Hours by Sourcetype</P> <P>search = index="_internal" source="*metrics.log" per_sourcetype_thruput | timechart sum(kb) by series</P> Mon, 28 Sep 2020 20:21:43 GMT https://community.splunk.com/t5/Installation/Does-anyone-have-a-search-that-can-break-down-KBs-by-sourcetype/m-p/12934#M161 stanwin 2020-09-28T20:21:43Z