How to measure the license consume from a list of ...

corti77 · ‎09-21-2021

Hi,

I am trying to fine tune our license consumption and I can easily check the total number of events that match certain criteria (e.g: certain windows event ID for example). but how could I check the license consume by them? in other words, the total size of the data set of a query.

doing this, I could decide to blacklist certain events knowing beforehand that this blacklist will save X amount of MB a day of license.

cheers,

Jose

corti77 · ‎09-21-2021

hi Giuseppe,

unfortunately I cannot consult the license consumption as my splunk instance is dependent of a master instance managed by another institution. that is why I was wondering if I could make my own calculation , even though it is not 100% accurate.

maybe using something like

index=wineventlog EventCode=4689 | eval raw_length=len(_raw) 
| stats sum(raw_length) as totalSize

gcusello · ‎09-21-2021

Hi @corti77,

yes it should run, even if not accurate.

Ciao.

Giuseppe

gcusello · ‎09-21-2021

Hi @corti77,

the calculation of consumed license is in the _internal index (as you can see in the License consuption Report [Settings -- Licenses -- License Consuption -- last 60 days]).

So it isn't so easy correlate this earch with a normal search.

My hint is to:

understand, using the above search, what's the most heavy sourcetype.
then run a search on that sourcetype finding the most numerous EventCodes.
Then you can decide to filter the ones of them that you don't want.

In this way you could do a percentage calculation of how many MB you save with this filter.

Ciao.

Giuseppe

How to measure the license consume from a list of events

other

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life