Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to predict event increase/license usage by...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to predict event increase/license usage by sourcetype
Hi,
I'm currently ingesting Sysmon logs from 100 hosts, event are currently stable. Though I'm looking to be sending 10x more Sysmon hosts to Splunk.
These are quite busy log sources and so I'd like to find a way, within Splunk to estimate the license usage per the Sysmon SourceType and potentially provide a graph to show predicted growth/usage in license usage AND/OR event count.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_internal source="*license_usage.log*" type=Usage | eval yearmonthday=strftime(_time, "%Y%m%d") | stats sum(eval(b/1024/1024)) AS volume_mb by idx st yearmonthday
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@adam_dixon95 - The math is easy , the historical data is very difficult,
Youcan use MLTK or the inbuilt time series forecasting using the predict command
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Predict
BUT
you need a big chunk of historical data, based on the time range you are looking to predict for.
For example if you are looking at every hour , you would probably need an hourly historical data set for the last 1 year at a bare minimum to make a good prediction.
If you are looking at every 5 minutes, maybe you need a 5 minutes based data set for the last 3 months.
Thumb rule - more data is not necessarily better, but coverage is. If your data is cyclical (typically all businesses have some cycles - eg more sales in new year/Christmas) and you do not include the historical data for that while making a prediction, chances are that your model will fail for 2019 Christmas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @adam_dixon95
Were you able to make some progress on this question?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
