Splunk does not record licence consumption per event but you can make a good guess on this yourself. Build a search which includes your events, and calculate the size in bytes of each event over 24 hours index=wineventlog sourcetype=winlog EventCode=4688 earliest=-24h latest=now|eval bytes=len(_raw) Splunk uses UTF-8, so its 8bits, 1 byte per character. Each event will be slightly different with varying hostnames and other parameters etc so calculate an average. |stats avg(bytes) as avg_bytes Now you need to know how many events there have been - I presume its a lot - a.) because you are asking, and b.) because 4688 is common and noisy! You could run a |stats count over 30 days, but that may take some time. (Im also working on the assumption you don't have an accelerated datamodel for this) This is a good use case for a sampled search, set a sample rate that matches your dataset. 1:10,000 or 1:100,000 is probably the ballpark. To calculate the volume, you need to multiply the number of events the samples search returns by the avg_bytes and then multiply that by the ratio you choose. So the complete search would be: index=wineventlog sourcetype=winlog EventCode=4688
| eval bytes=len(_raw)
| stats avg(bytes) as avg_bytes count
| eval ratio=10000
| eval consumptionBytes=((avg_bytes*count)*ratio)
| eval consumptionKB=((avg_bytes*count)*ratio)/1024
| eval consumptionMB=((avg_bytes*count)*ratio)/1024/1024
| eval consumptionGB=((avg_bytes*count)*ratio)/1024/1024/1024 remember to set "|eval ratio=x" to the sample ratio you use for the search
... View more