https://community.splunk.com/t5/Installation/Splunk-Trail/m-p/336689#M8448 <P>hi @niketnilay,</P> <P>thanks for sharing useful information.<BR /> I am looking exactly the same.</P> Wed, 02 May 2018 08:45:03 GMT rashid47010 2018-05-02T08:45:03Z https://community.splunk.com/t5/Installation/Splunk-Trail/m-p/336685#M8444 <P>Hi Everyone,</P> <P>I want to install splunk trail version. I have multiple Domain Controllers, File Servers, Exchange Server, Firewalls.<BR /> the idea is to present splunk capabilities.</P> <P>Please tell me:<BR /> 1-Trial license is 500 MB/per day so what should be my strategy( how many indexers, search heads and Forwarders I can configure)<BR /> 2- estimate space required for each data source, for example, for DC how many events can be indexed.<BR /> 3- what should be my architecture strategy. <BR /> 4- How can I drop windows events at universal forwarder or Index level.<BR /> 5- How can I filter network events( should I do this at network device it self .. OR i can drop events at index level.</P> Sun, 15 Apr 2018 18:29:11 GMT https://community.splunk.com/t5/Installation/Splunk-Trail/m-p/336685#M8444 rashid47010 2018-04-15T18:29:11Z https://community.splunk.com/t5/Installation/Splunk-Trail/m-p/336686#M8445 <P>@rashid47010, For point 1 and 3: Refer to Splunk Validated Architectures <A href="https://www.splunk.com/pdfs/white-papers/splunk-validated-architectures.pdf">whitepaper</A> and <A href="http://conf.splunk.com/sessions/2017-sessions.html#search=Splunk%20Validated%20Architectures&amp;">.conf 2017 Session</A> for the same. </P> <P>For Point 2: If you have Splunk Admin/Architect provide them with the devices details, volume of data per day/per week and data growth, retention requirement etc. If not reach out to Splunk Sales folks (Sales Rep or Sales Engineer) who might be closely tied to you/your location or else get the help from <A href="https://partners.splunk.com/locator/search?f0=Type+Of+Partner&amp;f0v0=Professional+Services">Professional Services</A></P> <P>For point 4: dropping event based on your input data, some data can be filtered via Universal Forwarder using blacklist option ( if they are supported ) in the inputs.conf.</P> <P>If not you can use <A href="http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues">nullQueue</A> to filter data from getting indexed. Other option would be to use <A href="https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptedInputsIntro">Scripted Input</A> to Splunk and have your Script drop the unwanted data from being indexed.</P> Sun, 15 Apr 2018 22:31:14 GMT https://community.splunk.com/t5/Installation/Splunk-Trail/m-p/336686#M8445 niketn 2018-04-15T22:31:14Z https://community.splunk.com/t5/Installation/Splunk-Trail/m-p/336687#M8446 <P>For #1-3: If your desire is to demonstrate/examine Splunk capabilities, then my advice to you is not to stand up your own test infrastructure; you would be MUCH better off simply firing up an ES or ITSI sandbox which has your sourcetypes already coming in.</P> <P>For #4, there is a github app for cutting down on Windows event sizes that should be easily found with any search engine.</P> <P>For #5, in general, don't weigh down your indexers doing filter work that can be done any place else.</P> Sun, 15 Apr 2018 22:55:43 GMT https://community.splunk.com/t5/Installation/Splunk-Trail/m-p/336687#M8446 woodcock 2018-04-15T22:55:43Z https://community.splunk.com/t5/Installation/Splunk-Trail/m-p/336688#M8447 <P>Hey@rashid47010,</P> <P>There are certain limitation for trial license such as clustering and all cannot be done.<BR /> Refer this doc for limitations:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/7.0.3/Admin/MoreaboutSplunkFree">http://docs.splunk.com/Documentation/Splunk/7.0.3/Admin/MoreaboutSplunkFree</A></P> <P>Let me know if this helps!!!</P> Mon, 16 Apr 2018 06:07:36 GMT https://community.splunk.com/t5/Installation/Splunk-Trail/m-p/336688#M8447 deepashri_123 2018-04-16T06:07:36Z https://community.splunk.com/t5/Installation/Splunk-Trail/m-p/336689#M8448 <P>hi @niketnilay,</P> <P>thanks for sharing useful information.<BR /> I am looking exactly the same.</P> Wed, 02 May 2018 08:45:03 GMT https://community.splunk.com/t5/Installation/Splunk-Trail/m-p/336689#M8448 rashid47010 2018-05-02T08:45:03Z