Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to measure the license consume from a list of events

corti77
Contributor
‎09-21-2021 06:50 AM

Hi,

I am trying to fine tune our license consumption and I can easily check the total number of events that match certain criteria (e.g: certain windows event ID for example).  but how could I check the license consume by them? in other words, the total size of the data set of a query.

doing this, I could decide to blacklist certain events knowing beforehand that this blacklist will save X amount of MB a day of license.

cheers,

Jose

0 Karma
Reply

corti77
Contributor
‎09-21-2021 07:52 AM

hi Giuseppe,

unfortunately I cannot consult the license consumption as my splunk instance is dependent of a master instance managed by another institution. that is why I was wondering if I could make my own calculation , even though it is not 100% accurate.

maybe using something like 

index=wineventlog EventCode=4689 | eval raw_length=len(_raw) 
| stats sum(raw_length) as totalSize
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-21-2021 07:54 AM

Hi @corti77,

yes it should run, even if not accurate.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-21-2021 07:10 AM

Hi @corti77,

the calculation of consumed license is in the _internal index (as you can see in the License consuption Report [Settings -- Licenses -- License Consuption -- last 60 days]).

So it isn't so easy correlate this earch with a normal search.

My hint is to:

  • understand, using the above search, what's the most heavy sourcetype.
  • then run a search on that sourcetype finding the most numerous EventCodes.
  • Then you can decide to filter the ones of them that you don't want.

In this way you could do a percentage calculation of how many MB you save with this filter.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...