All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

License usage for one of the sourcetype is high

NDabhi21
Explorer
‎07-21-2023 10:22 AM

Dear All,

I have observed License usage for one of the sourcetype is high capmpare to privious days. However events count is low capmpare privious days .

How to check this in splunk , how to validate the licence utilization.

 

I.e. : 

Sourcetype: Cisco: asa 

12 July'23 - Eventcount:16819087, license usage : 21GB

14 July'23 - Eventcount:15722874, license usage : 42 GB

Labels (2)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-21-2023 10:56 AM

Judging by those values something changed on your sources and they started sending not more but bigger events.

You can check it by comparing values from

index=your_index sourcetype=your_sourcetype
| stats count avg(eval(len(_raw)))

From the same period of those two days. As you have a lot of events to check, you can sample your data with either selecting proper sampling ratio in ui or adding

| noop ratio=10000

Before the stats command.

You can of course split your stats by host so you see if there is a host or group of hosts which behave differently than others.

And it's worth checking if you don't have any anomalies in terms of sudden ingestion peaks

| tstats count where index=your_index sourcetype=your_sourcetype by host _time span=10m
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...