Solved: Hosts with the largest events in size?

kwaingrow · ‎12-04-2012

In an effort to police my license usage, I'm currently using the following to find the hosts with the largest number of events sending to Splunk in the last 5 minutes:

index=* earliest=-5m | stats count by host,splunk_server | sort -count

While a host may be spamming Splunk with events, they may not be that large and affect my license usage that much. What can I use to find the hosts that are sending the actual largest (in size) events by host,splunk_server taking up the most space in the last 5 minutes?

sdaniels · ‎12-04-2012

You would want to do something like below (value in bytes).

index=* earliest=-5m | eval esize=len(_raw) | stats count max(esize) by host, source

View solution in original post

gkanapathy · ‎07-14-2013

You can also just check the license_usage.log, which breaks down the number of indexed bytes by host, source, and sourcetype, and indexer:

index=_internal source=*license_usage.log | stats sum(b) by s,st,h,i

though the indexer is represented by GUID rather than name in this case. You can of course roll up:

index=_internal source=*license_usage.log | stats sum(b) by s,h

as usual.

sdaniels · ‎12-04-2012

You would want to do something like below (value in bytes).

index=* earliest=-5m | eval esize=len(_raw) | stats count max(esize) by host, source

kwaingrow · ‎12-04-2012

I like it. I can pin it to a specific source. Thanks.

Hosts with the largest events in size?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!