- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Detailed Reporting on License Costs per Event
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Guys, is it possible to break down licnse impact on the following:
- Per Index
- Per SourceType
- Per Source
- Per Event in index i.e. all events with EventCode=302
??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is possible to get a breakdown of index, sourcetype, and source. However, for a certain EventCode can be tricky. First to get the usage for index, sourcetype, source, or even host, try the following:
index=_internal sourcetype=splunkd component=metrics group=<group_to_filter> series=*
where you can set the group field to be:
1. per_index_thruput
2. per_sourcetype_thruput
3. per_host_thruput
4. per_source_thruput
and (optionally) you can choose a specific series. For example, if you use the group per_index_thruput the series would be the index i.e. series=windows.
Full example:
index=_internal sourcetype=splunkd component=metrics group=per_index_thruput series=windows earliest=-7d@d latest=@d
| timechart span=1d sum(kb) as sum_kb by series
For a specific EventCode, you could get a good estimation by seeing what percentage of your events are using that EventCode and correlate that to your metrics logs.
i.e.
index=windows
| top 0 EventCode
| search EventCode=302
note the percent column and cross reference to the previous metrics logs. This won't be exact, but it will give you a good idea.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is possible to get a breakdown of index, sourcetype, and source. However, for a certain EventCode can be tricky. First to get the usage for index, sourcetype, source, or even host, try the following:
index=_internal sourcetype=splunkd component=metrics group=<group_to_filter> series=*
where you can set the group field to be:
1. per_index_thruput
2. per_sourcetype_thruput
3. per_host_thruput
4. per_source_thruput
and (optionally) you can choose a specific series. For example, if you use the group per_index_thruput the series would be the index i.e. series=windows.
Full example:
index=_internal sourcetype=splunkd component=metrics group=per_index_thruput series=windows earliest=-7d@d latest=@d
| timechart span=1d sum(kb) as sum_kb by series
For a specific EventCode, you could get a good estimation by seeing what percentage of your events are using that EventCode and correlate that to your metrics logs.
i.e.
index=windows
| top 0 EventCode
| search EventCode=302
note the percent column and cross reference to the previous metrics logs. This won't be exact, but it will give you a good idea.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much for this!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
Introducing the Splunk Community Dashboard Challenge!
