All Apps and Add-ons

Splunk license usage by sourcetype missing data?

RecoMark0
Path Finder

Hello,
I am trying to determine why we keep going over our license limit every so often, and pinpoint the sourcetype using up the most GB. However, when I switch the 30 day license usage graph to split by sourcetype, the bars never reach their actual full size.

For example, on June 18th we went over our 30GB limit by about 5GB(so 35GB total), however when I split by sourcetype, the total GB for June 18th is not even 10GB. This is using the manager/search/licenseusage, not the app
alt text alt text
You can see our limit line in both pics(the dotted line). The first solid line in the split graph is 10GB.

Is this normal? Is there a better way to help figure out sourcetype license usage? I am trying to "clean house" of unneeded indexing, but have been having little luck so far.

Thank you

0 Karma

masonmorales
Influencer

RecoMark0
Path Finder

Awesome, i will try this out!

0 Karma

masonmorales
Influencer

Just added some drop-downs to the license page so that you can select the sourcetype, so make sure you get v1.6.2. No Splunk restart required.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

29 is not a large number, I think the logging truncates to the top 100 sourcetypes.

martin_mueller
SplunkTrust
SplunkTrust

Do you have a large number of low-volume sourcetypes making up most of your total volume?

The per-X logging of license info only logs the top Y number of values, so there will be inaccuracies. How large these are depends on your distribution of volume over few large sourcetypes or many small sourcetypes.

RecoMark0
Path Finder

What is a large number? We have about 29 total different sourcetypes. I thought they got lumped into "other" if they are not in the top 10 or 20?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...