Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Re: Detailed Reporting on License Costs per Event
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Guys, is it possible to break down licnse impact on the following:
- Per Index
- Per SourceType
- Per Source
- Per Event in index i.e. all events with EventCode=302
??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is possible to get a breakdown of index, sourcetype, and source. However, for a certain EventCode can be tricky. First to get the usage for index, sourcetype, source, or even host, try the following:
index=_internal sourcetype=splunkd component=metrics group=<group_to_filter> series=*
where you can set the group field to be:
1. per_index_thruput
2. per_sourcetype_thruput
3. per_host_thruput
4. per_source_thruput
and (optionally) you can choose a specific series. For example, if you use the group per_index_thruput the series would be the index i.e. series=windows.
Full example:
index=_internal sourcetype=splunkd component=metrics group=per_index_thruput series=windows earliest=-7d@d latest=@d
| timechart span=1d sum(kb) as sum_kb by series
For a specific EventCode, you could get a good estimation by seeing what percentage of your events are using that EventCode and correlate that to your metrics logs.
i.e.
index=windows
| top 0 EventCode
| search EventCode=302
note the percent column and cross reference to the previous metrics logs. This won't be exact, but it will give you a good idea.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is possible to get a breakdown of index, sourcetype, and source. However, for a certain EventCode can be tricky. First to get the usage for index, sourcetype, source, or even host, try the following:
index=_internal sourcetype=splunkd component=metrics group=<group_to_filter> series=*
where you can set the group field to be:
1. per_index_thruput
2. per_sourcetype_thruput
3. per_host_thruput
4. per_source_thruput
and (optionally) you can choose a specific series. For example, if you use the group per_index_thruput the series would be the index i.e. series=windows.
Full example:
index=_internal sourcetype=splunkd component=metrics group=per_index_thruput series=windows earliest=-7d@d latest=@d
| timechart span=1d sum(kb) as sum_kb by series
For a specific EventCode, you could get a good estimation by seeing what percentage of your events are using that EventCode and correlate that to your metrics logs.
i.e.
index=windows
| top 0 EventCode
| search EventCode=302
note the percent column and cross reference to the previous metrics logs. This won't be exact, but it will give you a good idea.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much for this!
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
