All Apps and Add-ons

How can I estimate the licensing usage for Splunk App For Qualys?

daniel333
Builder

All,

Any rough number estimates on the Splunk app for Qualys' gigs/day usage? Anyone familiar with this app give me any input? Our security team is pushing for it but I need to justify value for disk/license.

thanks
-Daniel

0 Karma

nit123
Path Finder

Daniel,

The answers to your question depends on how much data you are ingesting to splunk indexes and at what frequency of runs. generally it is in MB's for a day if not more.

In Splunk license logs, there is a field 'idx' which denotes the index that the data is being written to. Doing a sum of the bytes field (b) by idx will give you the license usage per index:

Example - index=_internal source="*license_usage.log" | stats sum(b) by idx

Hope that helps.

0 Karma

gjanders
SplunkTrust
SplunkTrust

In my testing of this application the current sizing is MB/s day, and generally very, very small.

However it may vary depending on your environment, and I completely agree with adonio's comment, you might be better off enabling the add on and measuring afterward...

0 Karma

adonio
Ultra Champion

hello there,
i dont have the numbers but from a little experience, i learned that license usage prediction is not an easy task as there are often, too many variables.
with that said, i think the best way, is just to give it a shot. pick one or two instances you are interesting in, bring the data to splunk and measure license usage. worst thing that can happen is asking for a reset key from splunk.
make sure you create a new index for that data so you can easily remove it and free the disk space in the case you decide to move forward.
if you have splunk dev environment (even a tiny VM) you are already in a very good spot.
another option can be a very short email to your Splunk SE, just ask her, what do they see in the field.
good luck!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...