Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

license violation

edwinbmiller
New Member
‎04-24-2012 07:15 AM

using the Splunk License Usage App to get breakdown of index usage by index,host,source,sourcetype
however what i would really like is usage by event_type. I'm assuming one of the reasons my index are large on the above items is because the users have setup event_type rules that are to generic and by making the rules more specific i csn cut down on index volume? Am i looking at this correctly? I'm new to splunk so please forgive the ignorance

Tags (2)
0 Karma
Reply

edwinbmiller
New Member
‎04-24-2012 06:58 PM

thanks for the clarification, so the only way to reduce usage is reduce the rate of syslogs entries being generated by chatty hosts?
It would be great if there was a way to discard unwanted syslog or other data source entries so they would not be counted against the license.
After all why should i pay for data i don't even need.
Often filtering output directly from a source is hard.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎04-24-2012 07:07 PM

You can filter out specific events (be careful that the regex is not too general!) by using the nullQueue. There are some tips here.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎04-24-2012 07:35 AM

Event type rules (eventtypes.conf) are done at search time, and don't count against your indexing limit. The licensing usage only applies to raw data coming in from your log sources. If you are collecting from a large number of hosts, or large number of files, you can do searches like:

| metadata type=hosts OR | metadata type=sources

The number shown in the "events" column is the number of log events from that host (or input file). This can help to identify "noisy" hosts. You could then do a search for that host (again, or logfile) to look at the log events, to then see the contents of that log data.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...