Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to predict event increase/license usage by sourcetype

adam_dixon95
Explorer
‎08-16-2019 08:40 AM

Hi,

I'm currently ingesting Sysmon logs from 100 hosts, event are currently stable. Though I'm looking to be sending 10x more Sysmon hosts to Splunk.

These are quite busy log sources and so I'd like to find a way, within Splunk to estimate the license usage per the Sysmon SourceType and potentially provide a graph to show predicted growth/usage in license usage AND/OR event count.

Thanks

0 Karma
Reply

nareshinsvu
Builder
‎08-18-2019 07:03 PM 
 index=_internal source="*license_usage.log*" type=Usage  | eval yearmonthday=strftime(_time, "%Y%m%d") | stats sum(eval(b/1024/1024)) AS volume_mb by idx st yearmonthday
0 Karma
Reply

Sukisen1981
Champion
‎08-16-2019 08:53 AM

@adam_dixon95 - The math is easy , the historical data is very difficult,
Youcan use MLTK or the inbuilt time series forecasting using the predict command
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Predict
BUT
you need a big chunk of historical data, based on the time range you are looking to predict for.
For example if you are looking at every hour , you would probably need an hourly historical data set for the last 1 year at a bare minimum to make a good prediction.
If you are looking at every 5 minutes, maybe you need a 5 minutes based data set for the last 3 months.
Thumb rule - more data is not necessarily better, but coverage is. If your data is cyclical (typically all businesses have some cycles - eg more sales in new year/Christmas) and you do not include the historical data for that while making a prediction, chances are that your model will fail for 2019 Christmas

0 Karma
Reply

Sukisen1981
Champion
‎08-19-2019 07:58 AM

hi @adam_dixon95
Were you able to make some progress on this question?

0 Karma
Reply
Get Updates on the Splunk Community!

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...

The Visibility Gap: Hybrid Networks and IT Services

The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
Top