Monitoring Splunk

Can you help me with a License Usage justification Report?

shaikhussain2
Explorer

Hi Team,

I am facing a license violation issue,

I have received 4 warnings (29th 30th 31st 1st august) but 2nd and 3rd September there is no violation. But what we are thinking is we don't want to take a risk. To avoid that risk, we are thinking of increasing the license, but before increasing the license, my manager wants justification for why these violations have happened.

So i went to the license usage report and checked for last 30days and in sourcetype "wineventlog:security" consuming more data in Splunk.

Then i compared the logs 26th august (205 gb wineventlog:security) and 31st august (260 gb wineventlog:security) but they want to know why this much of data was used and to know where it came from.

Team can you please help me get this report.

Thanks and regards,
shaik hussain

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Start with a count of distinct sources. If someone added several new Windows servers lately then that might explain the extra data being indexed. It's also possible some servers couldn't connect to the indexers for some time and sent in a backlog of events once connections were re-established.

| tstats count where index=_internal sourcetype="wineventlog:security" by host
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...