All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

License usage for one of the sourcetype is high

NDabhi21
Explorer
‎07-21-2023 10:22 AM

Dear All,

I have observed License usage for one of the sourcetype is high capmpare to privious days. However events count is low capmpare privious days .

How to check this in splunk , how to validate the licence utilization.

 

I.e. : 

Sourcetype: Cisco: asa 

12 July'23 - Eventcount:16819087, license usage : 21GB

14 July'23 - Eventcount:15722874, license usage : 42 GB

Labels (2)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-21-2023 10:56 AM

Judging by those values something changed on your sources and they started sending not more but bigger events.

You can check it by comparing values from

index=your_index sourcetype=your_sourcetype
| stats count avg(eval(len(_raw)))

From the same period of those two days. As you have a lot of events to check, you can sample your data with either selecting proper sampling ratio in ui or adding

| noop ratio=10000

Before the stats command.

You can of course split your stats by host so you see if there is a host or group of hosts which behave differently than others.

And it's worth checking if you don't have any anomalies in terms of sudden ingestion peaks

| tstats count where index=your_index sourcetype=your_sourcetype by host _time span=10m
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...