Security

High license consumption in splunk

sgarcia
Explorer

Hello community.


We have a cluster architecture with 5 indexes. We have detected high license consumption, we are trying to identify the sources that generate it. I am using the following search to find out which Windows index host consumes the most license:

index=_internal type="Usage" idx=wineventlog
| eval MB=round(b/1024/1024, 2)

| stats sum(MB) as "Consumo de Licencia (MB)" by h
| rename h as "Host"
| sort -"Consumo de Licencia (MB)"

With this search I can see the hosts and the consumption in megabytes, but in the h field, there are no values ​​or hosts, which I cannot identify and I need to know which are those hosts, since the sum of all of them gives me a high license consumption. What could be the cause of that?

 

sgarcia_0-1722359171769.png

sgarcia_1-1722359248064.png

 

this is the events from uknowns_host:

sgarcia_2-1722359315180.png

I cannot identify what they are, if they are a specific host, if it is a Splunk component, or something that is causing this license increase.

Regards

 

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...