![]() Now that you have an idea of where all that license goes every day, you may be wondering how Splunk began ingesting some of this data in the first place. If that’s the case, pivot your investigation on another Splunk metadata field such as host, source, or index – is one subset of hosts, sources, or indexes accumulating more data than others? Try something like: index=_internal source=*license_usage.log type=”Usage” st=”” | stats sum(b) by hindex=_internal source=*license_usage.log type=”Usage” st=”” | stats sum(b) by h index=_internal source=*license_usage.log type=”Usage” st=”” | stats sum(b) by s index=_internal source=*license_usage.log type=”Usage” st=”” | stats sum(b) by idx How did I get all this data? Side note: In my own environment I’ve gone so far as to write out descriptions for every sourcetype, save them as a lookup in Splunk, and create a dashboard with details on every sourcetype and index for other users to reference.Īt this point, you may find 99% (or some other large majority) of your license consumption is assigned to a single sourcetype. Completing this may require a little research, but if it starts to take more than a few minutes, move on and keep reading. Be as specific as possible without overdoing it – if you can identify the specific product, data center, location, or responsible team, do so. ![]() “wireless network traffic”, “SSO access logs”, “application crash logs”). | eval max_GB=round(max_b/1024/1024/1024, 3)īy closely examining your largest sourcetypes – anything consuming more than 1% of your license quota on average per day (300 GB/day license = 3 GB/day or more) – can you explain the contents of each of these sourcetypes or the reason you’re ingesting them? If not, consider making a simple Excel sheet listing your largest sourcetypes, investigating these sourcetypes one by one in Splunk, and making a note of their contents (e.g. | stats avg(b) as avg_b max(b) as max_b by st Splunk core provides a very robust and practical dashboard out-of-the-box (Login to your license master as an admin > Settings > Licensing > Usage Report > Previous 30 Days > Split by: Source type), or you can run your own query, something like this: index=_internal source=*license_usage.log type=”Usage” fields _time, st, b “syslog”, “WinEventLog:Security”, “cisco:asa”) and in most cases can give you a rough idea of where that data comes from and what it contains. “sourcetype” is a required metadata field Splunk attaches to each event that (when properly configured) describes the format of the data (e.g. The best way to begin analyzing this is to look at license consumption by “sourcetype”. The first step in reducing your Splunk pricing is understanding the sources of your daily data ingestion. According to Splunk’s pricing guide, with a 100 GB/day term license, you’re Splunk pricing is $600/year per GB/day of ingestion – not to mention the cost of the infrastructure required to manage this load.īefore starting a discussion about renewing an oversized Splunk license or purchasing additional license capacity, take the time to verify you’re making the most of the license you have. In this article, we’ll explore ways you can trim the fat from your Splunk license consumption and better align your Splunk usage with your organization’s strategic goals. For most organizations, Splunk has no trouble demonstrating its worth year after year but even your local office Splunk addict wants to be sure they’re getting the most bang for their buck before asking for a license increase at the yearly budget meeting. Unfortunately here on Planet Earth, we are commonly forced to optimize our systems along a cost-benefit curve – proving the value of the data we collect is worth more than the cost of the infrastructure, licensing, and maintenance. In a perfect world, we would each be able to collect every byte of data from all of our systems and store it forever on free infrastructure that requires absolutely no maintenance and is easily accessible and completely secure.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |