Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can you estimate how much data you will send to splunk?

TheJulyPlot
New Member
‎05-25-2017 05:22 AM

I am putting a business case together for getting a SIEM into my organisation. I have looked at a number of options and I am trying to get some ball park prices to include.

Given that splunk works on a data consumption model, of $2,070 PA for 1GB per day. I was wondering how I would go about calculating an estimate of how much data my organisation would send to splunk?

Is there any kind of model for this?

Something that I can use to work out how much data my organisation will send splunk per day.

I.e a model that will guestimate that X number of Windows 7 clients send an average of Y MB per day, X number Windows Domain Controllers will send Y MB per day, X NGFW will send Y MB per day etc. etc.

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎05-25-2017 08:55 AM

@adonio's suggestion is the right one. I'm going to add some hopefully-mature political advice.

For certain uses, Splunk is awesome sauce squared, so once you have a working system, different departments will be clamoring to add their data and it will tend to expand to fill all space, time, and money available, like the blob in that old Steve McQueen movie. That's neither good nor bad, it's just a fact of life for systems that create value.

But, if you've created the cost estimate, and the above scenario plays out, both you and the organization need to be able to tease the expense data into a form where your original estimated costs are distinguishable from any later expansions of function.

So, if your use case for SIEM using Splunk gets approved, just make sure your initial design for stand-up actions and change processes includes some provision for additional users justifying and allocating the marginal costs for any additional data feeds that will inevitably accrue over time, along with some level of periodic review to determine whether each existing feed is still cost-justified.

0 Karma
Reply

adonio
Ultra Champion
‎05-25-2017 08:19 AM

try and contact splunk sales via splunk.com
they have some spreadsheets that can help you get a good ball park of predicted license usage
good luck!

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...