Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to estimate license requirements for new data sources from a number of hosts?

techmjohnson
New Member
‎09-11-2015 11:15 AM

We have some new sources that we want to bring into Splunk, but are concerned about license utilization. Is there a way to estimate Splunk usage from a number of hosts without having to deltify each log for it’s per day growth and then summing that up? I guess what I’m looking for is something that I could dump the log to, like a nullQueue, but have it count how much data it would consume. This will help us plan for license growth as we bring new services on. Right now the proposed use case is a pretty big hadoop cluster, but I could also see us indexing application traces and errors for ruby on rails apps.

Labels (1)
Labels
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎09-11-2015 01:07 PM

Well, one thought I had was manual labor and a lot of math, but because I'm lazy and assume others are as well, that's probably out. 🙂

With an enterprise license you can go over your license amount I think 5 times in a 30 day rolling window. With the free license I think it's 3 times. So, as long as you are paying attention and managing the rest of your Splunk environment, you may be able to just pick a day in which you'll enable several new inputs and not worry if you go over license that day.

After a few hours or a day of ingesting those inputs, check your license pages (or the S.o.S. app - you should install that) and see what it's like. You could even set up a license alert - search for those and there are all sorts of great ideas in Answers on some options for some of those. Anyway, keep the inputs that are small enough and get rid of (or figure out how to reduce) the ones that were too big.

Just make sure you don't enable them all on a Friday afternoon and forget about them until Tuesday and have 3 or 4 days of license overage. 😞

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...