If the log data will be sent to splunk indexer after compression, how much splunk license do I need to buy?
EX: If the total raw log size from different applications is nearly equal to 4 GB, how many licenses do I need to buy?
Thanks, everyone.
raw data size that will be ingested in splunk is directly proportional to license size. As the compression will happen once the data is indexed.
So for 4 gb/day raw log data, splunk license value will be 4 gb/day .
For event data, data volume is based on the amount of raw external data that the indexer ingests into its indexing pipeline, after any filtering. It is not based on the amount of compressed data that gets written to disk.
See here for more:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/HowSplunklicensingworks
Thank you very much for all ..
Splunk blog has really amazing information about how much license you should buy and the factors to estimate data ingestion. Have a look..,
https://www.splunk.com/blog/2016/05/06/what-size-should-my-splunk-license-be.html
raw data size that will be ingested in splunk is directly proportional to license size. As the compression will happen once the data is indexed.
So for 4 gb/day raw log data, splunk license value will be 4 gb/day .
For event data, data volume is based on the amount of raw external data that the indexer ingests into its indexing pipeline, after any filtering. It is not based on the amount of compressed data that gets written to disk.
See here for more:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/HowSplunklicensingworks
What is saying compression?
Is it to delete unnecessary events and fields from raw logs?
Since Splunk's license is the amount of logs per day, if you want to capture the raw log as it is, you need a license for the amount of log of the raw log.
If you delete events and fields from the raw log beforehand, the amount of deleted log will be the license fee.