Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Advice on personal experience of data count of data sources per host

hensgr
New Member
‎07-08-2019 09:13 AM

Hey all. So my company has recently acquired 200GB added on top of our current licence. We are interested in 3 different log sources and wondering what the data size per day is per host in your experience?

It would be good to know if you have heavily filtered the input or not, but it would be good for scoping if I could have an idea of metrics:
Powershell logs
Sysmon
Winevent logs on users machines

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2019 10:58 AM

While you may get some useful estimates from other people's experiences, nothing beats estimating using your own data.

Turn on those sources on 1-10 hosts and measure how much your data ingestion increases. Use that figure to extrapolate the total license usage increase for those sources on all hosts.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2019 10:58 AM

While you may get some useful estimates from other people's experiences, nothing beats estimating using your own data.

Turn on those sources on 1-10 hosts and measure how much your data ingestion increases. Use that figure to extrapolate the total license usage increase for those sources on all hosts.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

hensgr
New Member
‎07-09-2019 12:44 AM

Totally appreciate the point and I have suggested this but you can understand the complexities to getting this done in a heavily bureaucratic environment. Just at a finger in the air for now so I am interested in what other people's experiences are.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...