Hello All,
I am wondering if someone out there can help with this.
We are evaluating Splunk Enterprise, and using the 60 day evaluation version. This is going in a live area, with a universal forwarder sending data to the Splunk back end. My concern is that when we switch this on and point the forwarder at the Splunk back end, we will blow our 500 MB a day limit straight away, and we will not be able to gain any relevant test data because of the MB,s per day constraints, and thus rule Splunk out of our possible purchases.
The data is from Windows event logs, to start with. Is there a way of telling Splunk that you only want it to start logging from the date of installation, and not read all of the log history contained in the event logs?.
My other question, is to do with capacity planning. Is there any Splunk apps that can run stand alone, to basically give you any idea of how much data would be sent to splunk if it was installed.
We do not want to spend the money purchasing the product, and find that we cannot get what we want from it, because we blow our licensing limits all the time.
Thanks in advance for any help
... View more