All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate a search to determine why our license usage doubled?

avalle
Path Finder
‎05-30-2017 09:06 AM

Over the holiday weekend our license usage doubled and I need to figure out what is causing this. I have S.o.S - Splunk on Splunk installed but I am not sure if this is where I find this information. anyone have any searches to determine what devices started sending data or volume change?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-30-2017 09:32 AM

Try running these searches for the last 10 days:

| tstats count GroupBy index _time span=1d 
| timechart span=1d sum(count) BY index

Get more granular with this:

| tstats count GroupBy sourcetype index _time span=1d 
| eval entity = sourcetype . "/" . index 
| timechart span=1d sum(count) BY entity

Get the most granularity with this:

| tstats count GroupBy host sourcetype index _time span=1d 
| eval entity = host . "/" . sourcetype . "/" . index 
| timechart span=1d sum(count) BY entity

These will chart changes in # of events, but if the problem is that this metric is more or less the same and the problem is that the average size of a particular event has increased, then it will not be evident.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-30-2017 09:32 AM

Try running these searches for the last 10 days:

| tstats count GroupBy index _time span=1d 
| timechart span=1d sum(count) BY index

Get more granular with this:

| tstats count GroupBy sourcetype index _time span=1d 
| eval entity = sourcetype . "/" . index 
| timechart span=1d sum(count) BY entity

Get the most granularity with this:

| tstats count GroupBy host sourcetype index _time span=1d 
| eval entity = host . "/" . sourcetype . "/" . index 
| timechart span=1d sum(count) BY entity

These will chart changes in # of events, but if the problem is that this metric is more or less the same and the problem is that the average size of a particular event has increased, then it will not be evident.

0 Karma
Reply
Solved! Jump to solution

avalle
Path Finder
‎05-30-2017 10:14 AM

Thank you! this helped determine what index doubled in size. How do i run these searches for that particular index? I tried adding index=XXX but the search did not like it at all

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-30-2017 10:21 AM

Also, check out the Meta Woot! app:

https://splunkbase.splunk.com/app/2949/

0 Karma
Reply
Solved! Jump to solution

avalle
Path Finder
‎05-30-2017 10:51 AM

Oh this looks like a great app!!! do i have to install it in all HF and indexers? I installed in the search head and no data came up.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-30-2017 10:20 AM

After the tstats line add this line:

| search index="XXX"
0 Karma
Reply
Solved! Jump to solution

avalle
Path Finder
‎05-30-2017 10:51 AM

NICE! that worked!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...