View License Utilization with a SecOps Search?

russell_pfeifer · 02-07-2025 11:56 AM

Good morning --

Today I was trying to view how much of our current SecOps license we are using and, interestingly, wasn't able to locate the information in any of our dashboards. There are a few articles out there about how you can enable a license utilization dashboard but I was wondering if anyone had a way within search that this information could be displayed? I was able to do it easily within Splunk 🙂

Thanks in advance

rajukg

We have the dashboards to display how much storage is consumed (look at the Main dashboard) and you can adjust the time period. What we don't have is how much storage your license is for in the dashboards.

Is there anything specific you are looking for? The ingestion_metrics table has all the info you need to see the consumption at log type level and time etc.
You can also take a look at this: https://medium.com/@thatsiemguy/monitoring-your-siem-ingestion-licensing-5c9a8c6bfd74

In the new Native dashboards you can write a query on the ingestion and display the results, for example:

ingestion.log_type != ""
$log_type = ingestion.log_type
match:
    $log_type
outcome:
    $log_count = sum(ingestion.log_count)
    $event_count = sum(ingestion.event_count)
    $throughput = math.ceil(sum(ingestion.log_volume)/(1024*1024))
    $drop_count = sum(ingestion.drop_count)
order:
    $log_count desc

russell_pfeifer

@rajukg Thanks for the prompt reply. I'm looking to see how much of my license I'm using (ie 90GB of my 100GB license). As you pointed out -- the native "Data Ingestion and Health" dashboard does not show me how much my license is for.

Our SecOps instance is managed by a third-party, I'm guessing I would have to get them to enable the new Native dashboards feature.

The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms.

Read more and check out our FAQ.

View License Utilization with a SecOps Search?