Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to measure the license consume from a list of events

corti77
Communicator
‎09-21-2021 06:50 AM

Hi,

I am trying to fine tune our license consumption and I can easily check the total number of events that match certain criteria (e.g: certain windows event ID for example).  but how could I check the license consume by them? in other words, the total size of the data set of a query.

doing this, I could decide to blacklist certain events knowing beforehand that this blacklist will save X amount of MB a day of license.

cheers,

Jose

Labels (1)
Labels
0 Karma
Reply

corti77
Communicator
‎09-21-2021 07:52 AM

hi Giuseppe,

unfortunately I cannot consult the license consumption as my splunk instance is dependent of a master instance managed by another institution. that is why I was wondering if I could make my own calculation , even though it is not 100% accurate.

maybe using something like 

index=wineventlog EventCode=4689 | eval raw_length=len(_raw) 
| stats sum(raw_length) as totalSize
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-21-2021 07:54 AM

Hi @corti77,

yes it should run, even if not accurate.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-21-2021 07:10 AM

Hi @corti77,

the calculation of consumed license is in the _internal index (as you can see in the License consuption Report [Settings -- Licenses -- License Consuption -- last 60 days]).

So it isn't so easy correlate this earch with a normal search.

My hint is to:

  • understand, using the above search, what's the most heavy sourcetype.
  • then run a search on that sourcetype finding the most numerous EventCodes.
  • Then you can decide to filter the ones of them that you don't want.

In this way you could do a percentage calculation of how many MB you save with this filter.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...