Getting Data In

How to predict event increase/license usage by sourcetype

adam_dixon95
Explorer

Hi,

I'm currently ingesting Sysmon logs from 100 hosts, event are currently stable. Though I'm looking to be sending 10x more Sysmon hosts to Splunk.

These are quite busy log sources and so I'd like to find a way, within Splunk to estimate the license usage per the Sysmon SourceType and potentially provide a graph to show predicted growth/usage in license usage AND/OR event count.

Thanks

0 Karma

nareshinsvu
Builder
 index=_internal source="*license_usage.log*" type=Usage  | eval yearmonthday=strftime(_time, "%Y%m%d") | stats sum(eval(b/1024/1024)) AS volume_mb by idx st yearmonthday
0 Karma

Sukisen1981
Champion

@adam_dixon95 - The math is easy , the historical data is very difficult,
Youcan use MLTK or the inbuilt time series forecasting using the predict command
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Predict
BUT
you need a big chunk of historical data, based on the time range you are looking to predict for.
For example if you are looking at every hour , you would probably need an hourly historical data set for the last 1 year at a bare minimum to make a good prediction.
If you are looking at every 5 minutes, maybe you need a 5 minutes based data set for the last 3 months.
Thumb rule - more data is not necessarily better, but coverage is. If your data is cyclical (typically all businesses have some cycles - eg more sales in new year/Christmas) and you do not include the historical data for that while making a prediction, chances are that your model will fail for 2019 Christmas

0 Karma

Sukisen1981
Champion

hi @adam_dixon95
Were you able to make some progress on this question?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...