Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

License breach through MLTK

Nraj87
Explorer
‎12-10-2024 01:18 AM

Dear  All ,

Some Dynamic Sources in my environment are ingesting more data into Splunk and License limit get breach.

So Is there any way to detect this source as outliner through MLTK .

i.e. Cisco ASA Source type  has multiple sources(firewall) which ingest around 10 GB data on daily basis  suddenly one day  license usage reach to 20 GB. how to identify which source sent more data into Splunk without creating manual threshold or average of data.

Tags (2)
0 Karma
Reply

rishabhshah
Path Finder
‎12-11-2024 04:46 AM

I agree with Giuseppe as the suggestion is good to start with. However, in MLTK you can use the outlier detection example shipped with the app. Can created a search split by source which will show the sources responsible for the data growth as an outlier.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-10-2024 01:59 AM

Hi @Nraj87 ,

in my opinion, you could use the searches that you can find in [Settings > License > License Usage > Last 30 days > Split by sourcetype] more than MLTK.

eventually you could train a model in MLTK starting from the previous search.

Bur anyway, the most important activity is an analysis, starting from the above search so you can analyze your data flow and identify the sources responsible fo the data growth, so you can decide if enlarge the license or filter some events.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...