Installation

Splunk License Violation - Investigate additional data for last 24hrs

gagandeep_arora
Path Finder

Last night the license usage passed 95%, which used to float around 60-65%. There would definitely be additional host or logs started ingesting data yesterday.

Is there a way I can trace down if any source or host is added within last 24hrs or if I can find who impacted the license usage?

Tags (2)
0 Karma

koshyk
Super Champion

be careful on one aspect as "license" is calculated based on _indextime, but when you search data on the host it is _time (eventtime) which might span multiple days.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

"It depends" - Always a good answer. If you don't have lots of SQUASHED data, then the following searches can help you out.

To find out what index has the most data, use the following search:

index=_internal source=*license_usage.log type="Usage" | stats sum(b) as total by idx | eval totalGB=total/1024/1024/1024 | fields idx, totalGB | sort -totalGB

To find out which host is the big offender:

index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"CM",idx) | stats sum(b) as b by h, idx | eval GB=(b/1024/1024/1024) | sort -GB | fields - b

Squashed data is what you get when there are too many entries in a given time period for Splunk to separate things out by host. Usually this isn't a problem until you get LOTS of forwarders.

gagandeep_arora
Path Finder

This was not something specific I was looking for but this was interesting,, Cheers..

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

My answer was in reply to your:

or if I can find who impacted the license usage

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...