Deployment Architecture

Need Information on Licensing Requirements for Splunk Clustering on Indexers

metmox1
Explorer

Hello Team,

We are willing to understand the approach and the licensing requirements in order to install Splunk ES on clustering on Indexers and Search Head. Will we need an identical license on both the clusters?

metmox1_0-1652452570259.png

Regards,

Vikram Chabra

Vikram@Metmox.com

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

All indexers should connect to the same License Manager.  There are no separate license requirements for ES.

---
If this reply helps you, Karma would be appreciated.

metmox1
Explorer

Thanks for the confirmation.

 

Can you please provide relevant document, for building Splunk ES server ground up with clustering on indexer and search head?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @metmox1,

ES architecture and dimensioning isn't an easy job, I hint to engage a Splunk PS or at least a Splunk Architect with experience in ES architectures, because there are requirements and attention points different than Splunk Enterprise, (only for example: for Splunk Enterprise you use one Indexer to index until 200 GB, with ES until 100-150 GB.

Hardware requirements are described at https://docs.splunk.com/Documentation/ES/7.0.1/Install/DeploymentPlanning but as I said, it's mandatory to have training and experience on ES.

Ask to your reference Splunk Partner to help you; if you are a Splunk Partner ask to your managers to partecipate to a training (I did it!)

Ciao.

Giuseppe

0 Karma

metmox1
Explorer

Ok, so if we are implementing clustering across two distinct AWS availability zones on indexers, will we need 2 identical Splunk ES licenses?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @metmox1,

if you have one cluster, that make data replication between the peers, you have to pay only one license (if you have a license for indexed logs).

It's different if you have two (or more) clusters that exchange logs between them: in each case you have to pay the total indexed logs, not also the replicated ones.

It's obviously different if you have a license for CPU.

My hint is to ask to your reference Splunk Partner or a Splunk Sales.

Ciao.

Giuseppe

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @metmox1,

Splunk license is countered on the daily indexed logs or the number of CPUs of Indexers, so Search Heads don't enter in the license calculation.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...