I was trying to pull how much storage specific Palo rules were consuming from collecting those logs.
Is it possible for Meta Woot to pull that per event name or event type?
Thanks for the info pj!
I was actually using that dashboard but was curious if it was possible to edit that search to break it down by other extracted fields, say "rule" for Palo TRAFFIC based events.
Meta Woot! leverages the meta data within Splunk and does not provide access to the fields within the data. However, once you have an idea of license volume per event from Meta Woot!, you could leverage the metasearch command to quickly get a count of events that contain the word "rule".
For example:
| metasearch index=panindex sourcetype=paloaltowhatever "rule" | stats count
Obviously, you would want to customise the above to your index and sourcetype. However this will very quickly provide a count of palo alto events containing the word rule. Armed with this figure you can simply multiply that by the license per event amount to give you an idea of how much license volume those events are using!
Thanks for all of your help!
There is a dashboard in Meta Woot! named Meta Woot! License Event Usage, that calculates the amount of license used per event. It does this by cross correlating your license data against event volumes for a given sourcetype. This gives a fairly accurate average license amount per event.
Now if there are specific events identified by an eventtype and they are pretty much the same format/size as most other events in the sourcetype, then the average license amount per event fits fairly well. If the event is maybe double the size of other events, then you could probably just estimate the size.
If you wanted to calculate the amount an event uses in storage (i.e. after compression), you could either just go with an arbitrary 50% compression as a ball park, or if you want accuracy you would need to look at the index sizes, and compare raw size vs disk size to figure out the compression ratio for the index in question, then apply that ratio to your event. A command like dbinspect will allow you to see raw sizes vs size on disk for a given index and/or buckets.