Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If my applications log total is 10GB, do I need to buy a 10GB splunk license ?

raj_mpl
Path Finder
‎07-30-2018 05:19 AM

If the log data will be sent to splunk indexer after compression, how much splunk license do I need to buy?
EX: If the total raw log size from different applications is nearly equal to 4 GB, how many licenses do I need to buy?

Thanks, everyone.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎07-30-2018 06:14 AM

raw data size that will be ingested in splunk is directly proportional to license size. As the compression will happen once the data is indexed.
So for 4 gb/day raw log data, splunk license value will be 4 gb/day .

For event data, data volume is based on the amount of raw external data that the indexer ingests into its indexing pipeline, after any filtering. It is not based on the amount of compressed data that gets written to disk.

See here for more:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/HowSplunklicensingworks

View solution in original post

0 Karma
Reply
Solved! Jump to solution

raj_mpl
Path Finder
‎07-30-2018 07:12 AM

Thank you very much for all ..

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎07-30-2018 06:24 AM

Splunk blog has really amazing information about how much license you should buy and the factors to estimate data ingestion. Have a look..,

https://www.splunk.com/blog/2016/05/06/what-size-should-my-splunk-license-be.html

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎07-30-2018 06:14 AM

raw data size that will be ingested in splunk is directly proportional to license size. As the compression will happen once the data is indexed.
So for 4 gb/day raw log data, splunk license value will be 4 gb/day .

For event data, data volume is based on the amount of raw external data that the indexer ingests into its indexing pipeline, after any filtering. It is not based on the amount of compressed data that gets written to disk.

See here for more:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/HowSplunklicensingworks

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎07-30-2018 05:45 AM

What is saying compression?
Is it to delete unnecessary events and fields from raw logs?

Since Splunk's license is the amount of logs per day, if you want to capture the raw log as it is, you need a license for the amount of log of the raw log.

If you delete events and fields from the raw log beforehand, the amount of deleted log will be the license fee.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...