Does anyone have a search that can break down KBs by sourcetype?

Splunk Employee
Splunk Employee

Does anyone have a search that can break down kbs by sourcetype?

Labels (1)

New Member

One option is to install the "Splunk License Usage" app available here.

0 Karma


Search relevant for this Question from the app:

kBs Indexed in Past 24 Hours by Sourcetype

search = index="_internal" source="*metrics.log" per_sourcetype_thruput | timechart sum(kb) by series

0 Karma

Path Finder

I am looking for something similar, I want to get a breakdwon by not only sourcetype, but by server.

Ideally, I want a chart that has:

Sourcetype Hostname Events KB

I would take something that just has events, and not KB as well.

0 Karma

Super Champion

Here is a search you may find helpful, it does not 100% correlate to license usage, but you can get it pretty close by filtering out internal sourcetypes.

index=_internal sourcetype=splunkd source=*metrics* "group=per_sourcetype_thruput" NOT series="filetrackercrclog" NOT series="splunk*" NOT series="audittrail" NOT series="scheduler" NOT series="searches" NOT series="stash" | eval events=eps*kb/kbps | stats sum(events) as events sum(kb) as kb by series | eval events=round(events,0) | eval kb=round(kb,1)

This search gives you the event count and kb by series (in this case series means sourcetype).

Note that this is assuming your are on the latest 4.0.x release or any 4.1.x release, otherwise you should take out the NOT series="stash" part because summary indexing does count towards your licensing in older releases.

I've run into issues trying to do meaningful things with the kbps metric for 2 reasons:

  • if you are looking at long-term analysis, you can't do much with it because it's already an average, so doing avg(kbps) further skews your number.
  • Metrics are only recorded for series that are part of the top 10 active series. So it's likely that a sourcetype that varies in volume during the day will drop out of sight until the volume level increases again. Normally this isn't too big of a deal... (BTW, you can change the number of series to capture in limits.conf, look for the metrics stanza.)

If you are simply trying to get a view of activity at this moment or look for spikes, then kbps can be helpful, but for longer-term analysis I recommend looking at actual data indexed in terms of kb or events.

I wish that splunk gave you some additional metrics that indicated what was counting towards your license usage, but I don't think that information exists (other than the daily LicenseManager-Audit message). I think this is as good as it gets in the current release.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...