License breach through MLTK

Nraj87 · ‎12-10-2024

Dear All ,

Some Dynamic Sources in my environment are ingesting more data into Splunk and License limit get breach.

So Is there any way to detect this source as outliner through MLTK .

i.e. Cisco ASA Source type has multiple sources(firewall) which ingest around 10 GB data on daily basis suddenly one day license usage reach to 20 GB. how to identify which source sent more data into Splunk without creating manual threshold or average of data.

rishabhshah · ‎12-11-2024

I agree with Giuseppe as the suggestion is good to start with. However, in MLTK you can use the outlier detection example shipped with the app. Can created a search split by source which will show the sources responsible for the data growth as an outlier.

gcusello · ‎12-10-2024

Hi @Nraj87 ,

in my opinion, you could use the searches that you can find in [Settings > License > License Usage > Last 30 days > Split by sourcetype] more than MLTK.

eventually you could train a model in MLTK starting from the previous search.

Bur anyway, the most important activity is an analysis, starting from the above search so you can analyze your data flow and identify the sources responsible fo the data growth, so you can decide if enlarge the license or filter some events.

Ciao.

Giuseppe

License breach through MLTK

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform