Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

High license consumption in splunk

sgarcia
Explorer
‎07-30-2024 10:10 AM

Hello community.


We have a cluster architecture with 5 indexes. We have detected high license consumption, we are trying to identify the sources that generate it. I am using the following search to find out which Windows index host consumes the most license:

index=_internal type="Usage" idx=wineventlog
| eval MB=round(b/1024/1024, 2)

| stats sum(MB) as "Consumo de Licencia (MB)" by h
| rename h as "Host"
| sort -"Consumo de Licencia (MB)"

With this search I can see the hosts and the consumption in megabytes, but in the h field, there are no values ​​or hosts, which I cannot identify and I need to know which are those hosts, since the sum of all of them gives me a high license consumption. What could be the cause of that?

 

sgarcia_0-1722359171769.png

sgarcia_1-1722359248064.png

 

this is the events from uknowns_host:

sgarcia_2-1722359315180.png

I cannot identify what they are, if they are a specific host, if it is a Splunk component, or something that is causing this license increase.

Regards

 

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...