Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to predict event increase/license usage by sourcetype

adam_dixon95
Explorer
‎08-16-2019 08:40 AM

Hi,

I'm currently ingesting Sysmon logs from 100 hosts, event are currently stable. Though I'm looking to be sending 10x more Sysmon hosts to Splunk.

These are quite busy log sources and so I'd like to find a way, within Splunk to estimate the license usage per the Sysmon SourceType and potentially provide a graph to show predicted growth/usage in license usage AND/OR event count.

Thanks

0 Karma
Reply

nareshinsvu
Builder
‎08-18-2019 07:03 PM 
 index=_internal source="*license_usage.log*" type=Usage  | eval yearmonthday=strftime(_time, "%Y%m%d") | stats sum(eval(b/1024/1024)) AS volume_mb by idx st yearmonthday
0 Karma
Reply

Sukisen1981
Champion
‎08-16-2019 08:53 AM

@adam_dixon95 - The math is easy , the historical data is very difficult,
Youcan use MLTK or the inbuilt time series forecasting using the predict command
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Predict
BUT
you need a big chunk of historical data, based on the time range you are looking to predict for.
For example if you are looking at every hour , you would probably need an hourly historical data set for the last 1 year at a bare minimum to make a good prediction.
If you are looking at every 5 minutes, maybe you need a 5 minutes based data set for the last 3 months.
Thumb rule - more data is not necessarily better, but coverage is. If your data is cyclical (typically all businesses have some cycles - eg more sales in new year/Christmas) and you do not include the historical data for that while making a prediction, chances are that your model will fail for 2019 Christmas

0 Karma
Reply

Sukisen1981
Champion
‎08-19-2019 07:58 AM

hi @adam_dixon95
Were you able to make some progress on this question?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top