Solved: Re: How to write a Splunk search for License Utili...

umesh · ‎09-29-2022

Hi ,

i want to find the license utilization of firewall logs based on severity level. can anyone help me with the query on how to find the license utilization based on particular events like eventid in windows logs

richgalloway · ‎09-29-2022

Splunk's license usage log tracks utilization by index, host, source, sourcetype, and pool, but not severity. You'll have to it yourself by adding up the sizes of all of the relevant events. This method may not match the number calculated by Splunk, but should be close enough.

index=firewall sourcetype=firewall 
| eval size=len(_raw)
| stats sum(size) as TotalSize by severity

---
If this reply helps you, Karma would be appreciated.

View solution in original post

johnhuang · ‎09-29-2022

You can approximate license utilization by counting the number of events instead of calculating the exact size. This is faster and could meet your use case.

For example, windows event log:

<base search>
| top 100 EventCode

richgalloway · ‎09-29-2022

Splunk's license usage log tracks utilization by index, host, source, sourcetype, and pool, but not severity. You'll have to it yourself by adding up the sizes of all of the relevant events. This method may not match the number calculated by Splunk, but should be close enough.

index=firewall sourcetype=firewall 
| eval size=len(_raw)
| stats sum(size) as TotalSize by severity

---
If this reply helps you, Karma would be appreciated.

How to write a Splunk search for License Utilization for Particular events?

eval

field extraction

regex

stats

timechart

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?