Re: License breach through MLTK

Nraj87 · ‎12-10-2024

Dear All ,

Some Dynamic Sources in my environment are ingesting more data into Splunk and License limit get breach.

So Is there any way to detect this source as outliner through MLTK .

i.e. Cisco ASA Source type has multiple sources(firewall) which ingest around 10 GB data on daily basis suddenly one day license usage reach to 20 GB. how to identify which source sent more data into Splunk without creating manual threshold or average of data.

rishabhshah · ‎12-11-2024

I agree with Giuseppe as the suggestion is good to start with. However, in MLTK you can use the outlier detection example shipped with the app. Can created a search split by source which will show the sources responsible for the data growth as an outlier.

gcusello · ‎12-10-2024

Hi @Nraj87 ,

in my opinion, you could use the searches that you can find in [Settings > License > License Usage > Last 30 days > Split by sourcetype] more than MLTK.

eventually you could train a model in MLTK starting from the previous search.

Bur anyway, the most important activity is an analysis, starting from the above search so you can analyze your data flow and identify the sources responsible fo the data growth, so you can decide if enlarge the license or filter some events.

Ciao.

Giuseppe

License breach through MLTK

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation