I watch System Event logs across the enterprise but for very specific items. I do not send most events from my forwarders, only a select few event codes that I am interested in. This in turn results in few events from the system eventlog.
However, it seems to be eating up my license (suddenly). I have been running it in this fashion for a year and suddenly in the last couple days, I have had license issues.
I look at the License Volume and split by source, I see my system event log at up over my license amount by itself, but, for the same time period (24 hours), I only see 790 events. So I look at one particular half hour window and I see only 13 events, but Splunk is reporting it is over 32MB in size.
I am confused as to what is going on and I need to clear up the license issue in a hurry. Does anyone have any thoughts or has anyone seen this behavior before?
This is not the case. I had a file system monitoring issue that put me over my license. I reset my license, removed the file system monitoring and now I have this problem.
I am now over my license again due to this. I see that every half hour period has only a few events but the size is over 30 MB. Its as if it is saying that each event is between 2 & 3 MB per event, which is ridiculous...