Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

license violation

edwinbmiller
New Member
‎04-24-2012 07:15 AM

using the Splunk License Usage App to get breakdown of index usage by index,host,source,sourcetype
however what i would really like is usage by event_type. I'm assuming one of the reasons my index are large on the above items is because the users have setup event_type rules that are to generic and by making the rules more specific i csn cut down on index volume? Am i looking at this correctly? I'm new to splunk so please forgive the ignorance

Tags (2)
0 Karma
Reply

edwinbmiller
New Member
‎04-24-2012 06:58 PM

thanks for the clarification, so the only way to reduce usage is reduce the rate of syslogs entries being generated by chatty hosts?
It would be great if there was a way to discard unwanted syslog or other data source entries so they would not be counted against the license.
After all why should i pay for data i don't even need.
Often filtering output directly from a source is hard.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎04-24-2012 07:07 PM

You can filter out specific events (be careful that the regex is not too general!) by using the nullQueue. There are some tips here.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎04-24-2012 07:35 AM

Event type rules (eventtypes.conf) are done at search time, and don't count against your indexing limit. The licensing usage only applies to raw data coming in from your log sources. If you are collecting from a large number of hosts, or large number of files, you can do searches like:

| metadata type=hosts OR | metadata type=sources

The number shown in the "events" column is the number of log events from that host (or input file). This can help to identify "noisy" hosts. You could then do a search for that host (again, or logfile) to look at the log events, to then see the contents of that log data.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...