All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk license usage by sourcetype missing data?

RecoMark0
Path Finder
‎06-24-2015 12:00 PM

Hello,
I am trying to determine why we keep going over our license limit every so often, and pinpoint the sourcetype using up the most GB. However, when I switch the 30 day license usage graph to split by sourcetype, the bars never reach their actual full size.

For example, on June 18th we went over our 30GB limit by about 5GB(so 35GB total), however when I split by sourcetype, the total GB for June 18th is not even 10GB. This is using the manager/search/licenseusage, not the app
alt text alt text
You can see our limit line in both pics(the dotted line). The first solid line in the split graph is 10GB.

Is this normal? Is there a better way to help figure out sourcetype license usage? I am trying to "clean house" of unneeded indexing, but have been having little luck so far.

Thank you

Preview file
4 KB
Preview file
4 KB
0 Karma
Reply

masonmorales
Influencer
‎06-25-2015 11:07 AM

https://splunkbase.splunk.com/app/2678/

Reply

RecoMark0
Path Finder
‎06-25-2015 11:09 AM

Awesome, i will try this out!

0 Karma
Reply

masonmorales
Influencer
‎06-25-2015 11:52 AM

Just added some drop-downs to the license page so that you can select the sourcetype, so make sure you get v1.6.2. No Splunk restart required.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-25-2015 08:31 AM

29 is not a large number, I think the logging truncates to the top 100 sourcetypes.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-24-2015 03:04 PM

Do you have a large number of low-volume sourcetypes making up most of your total volume?

The per-X logging of license info only logs the top Y number of values, so there will be inaccuracies. How large these are depends on your distribution of volume over few large sourcetypes or many small sourcetypes.

Reply

RecoMark0
Path Finder
‎06-24-2015 05:00 PM

What is a large number? We have about 29 total different sourcetypes. I thought they got lumped into "other" if they are not in the top 10 or 20?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...