How to predict event increase/license usage by sou...

adam_dixon95 · ‎08-16-2019

Hi,

I'm currently ingesting Sysmon logs from 100 hosts, event are currently stable. Though I'm looking to be sending 10x more Sysmon hosts to Splunk.

These are quite busy log sources and so I'd like to find a way, within Splunk to estimate the license usage per the Sysmon SourceType and potentially provide a graph to show predicted growth/usage in license usage AND/OR event count.

Thanks

nareshinsvu · ‎08-18-2019

 index=_internal source="*license_usage.log*" type=Usage  | eval yearmonthday=strftime(_time, "%Y%m%d") | stats sum(eval(b/1024/1024)) AS volume_mb by idx st yearmonthday

Sukisen1981 · ‎08-16-2019

@adam_dixon95 - The math is easy , the historical data is very difficult,
Youcan use MLTK or the inbuilt time series forecasting using the predict command
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Predict
BUT
you need a big chunk of historical data, based on the time range you are looking to predict for.
For example if you are looking at every hour , you would probably need an hourly historical data set for the last 1 year at a bare minimum to make a good prediction.
If you are looking at every 5 minutes, maybe you need a 5 minutes based data set for the last 3 months.
Thumb rule - more data is not necessarily better, but coverage is. If your data is cyclical (typically all businesses have some cycles - eg more sales in new year/Christmas) and you do not include the historical data for that while making a prediction, chances are that your model will fail for 2019 Christmas

Sukisen1981 · ‎08-19-2019

hi @adam_dixon95
Were you able to make some progress on this question?

How to predict event increase/license usage by sourcetype

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...