Splunk license usage by sourcetype missing data?

RecoMark0 · ‎06-24-2015

Hello,
I am trying to determine why we keep going over our license limit every so often, and pinpoint the sourcetype using up the most GB. However, when I switch the 30 day license usage graph to split by sourcetype, the bars never reach their actual full size.

For example, on June 18th we went over our 30GB limit by about 5GB(so 35GB total), however when I split by sourcetype, the total GB for June 18th is not even 10GB. This is using the manager/search/licenseusage, not the app
alt text
You can see our limit line in both pics(the dotted line). The first solid line in the split graph is 10GB.

Is this normal? Is there a better way to help figure out sourcetype license usage? I am trying to "clean house" of unneeded indexing, but have been having little luck so far.

Thank you

masonmorales · ‎06-25-2015

https://splunkbase.splunk.com/app/2678/

RecoMark0 · ‎06-25-2015

Awesome, i will try this out!

masonmorales · ‎06-25-2015

Just added some drop-downs to the license page so that you can select the sourcetype, so make sure you get v1.6.2. No Splunk restart required.

martin_mueller · ‎06-25-2015

29 is not a large number, I think the logging truncates to the top 100 sourcetypes.

martin_mueller · ‎06-24-2015

Do you have a large number of low-volume sourcetypes making up most of your total volume?

The per-X logging of license info only logs the top Y number of values, so there will be inaccuracies. How large these are depends on your distribution of volume over few large sourcetypes or many small sourcetypes.

RecoMark0 · ‎06-24-2015

What is a large number? We have about 29 total different sourcetypes. I thought they got lumped into "other" if they are not in the top 10 or 20?

Splunk license usage by sourcetype missing data?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...