How does Splunk multi-metric claim the license?

BluePegasus · ‎07-19-2024

I saw the following text in the documentation:

When ingesting metrics data, each metric event is measured by volume like event data. However, the per-event size measurement is capped at 150 bytes. Metric events that exceed 150 bytes are recorded as only 150 bytes. Metric events less than 150 bytes are recorded as event size in bytes plus 18 bytes, up to a maximum of 150 bytes. Metrics data draws from the same license quota as event data.

I'm wondering how splunk handles multi-metrics with the dimensions and tags.

Here an example:

{
   Tag1: Cross-Direction (CD)
   Type: CSV
   Unit: LS77100
   Groupe: Traverse
   metric_name: LS77100.Traverse.Y1: 1.15
   metric_name: LS77100.Traverse.Y2: 2.13
   metric_name: LS77100.Traverse.Y3: 2.14
   metric_name: LS77100.Traverse.Y4: 1.16
}

So what is count here as a Byte? So do I have to pay for every character after "metric_name:"?
And what is with the Tags above: Do I pay for one tag like Tag1 or Unit in this example four times?

In this example I just got four points in reality that are around 3000 points. In the moment I'm sending the information as an event to splunk. I think about to ingest them as metrics because i guess there are better in performance. Maybe another way is to send it as an event, split them and make mcollect, not sure what is the best way.

How does Splunk multi-metric claim the license?

indexer

license

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?