All,
Any rough number estimates on the Splunk app for Qualys' gigs/day usage? Anyone familiar with this app give me any input? Our security team is pushing for it but I need to justify value for disk/license.
thanks
-Daniel
Daniel,
The answers to your question depends on how much data you are ingesting to splunk indexes and at what frequency of runs. generally it is in MB's for a day if not more.
In Splunk license logs, there is a field 'idx' which denotes the index that the data is being written to. Doing a sum of the bytes field (b) by idx will give you the license usage per index:
Example - index=_internal source="*license_usage.log" | stats sum(b) by idx
Hope that helps.
In my testing of this application the current sizing is MB/s day, and generally very, very small.
However it may vary depending on your environment, and I completely agree with adonio's comment, you might be better off enabling the add on and measuring afterward...
hello there,
i dont have the numbers but from a little experience, i learned that license usage prediction is not an easy task as there are often, too many variables.
with that said, i think the best way, is just to give it a shot. pick one or two instances you are interesting in, bring the data to splunk and measure license usage. worst thing that can happen is asking for a reset key from splunk.
make sure you create a new index for that data so you can easily remove it and free the disk space in the case you decide to move forward.
if you have splunk dev environment (even a tiny VM) you are already in a very good spot.
another option can be a very short email to your Splunk SE, just ask her, what do they see in the field.
good luck!