In an effort to police my license usage, I'm currently using the following to find the hosts with the largest number of events sending to Splunk in the last 5 minutes:
index=* earliest=-5m | stats count by host,splunk_server | sort -count
While a host may be spamming Splunk with events, they may not be that large and affect my license usage that much. What can I use to find the hosts that are sending the actual largest (in size) events by host,splunk_server taking up the most space in the last 5 minutes?
You would want to do something like below (value in bytes).
index=* earliest=-5m | eval esize=len(_raw) | stats count max(esize) by host, source
You can also just check the license_usage.log, which breaks down the number of indexed bytes by host, source, and sourcetype, and indexer:
index=_internal source=*license_usage.log | stats sum(b) by s,st,h,i
though the indexer is represented by GUID rather than name in this case. You can of course roll up:
index=_internal source=*license_usage.log | stats sum(b) by s,h
as usual.
You would want to do something like below (value in bytes).
index=* earliest=-5m | eval esize=len(_raw) | stats count max(esize) by host, source
I like it. I can pin it to a specific source. Thanks.