Getting Data In

Help estimating cost of metrics in Splunk?

daniel333
Builder

All,

I am trying to get my head around host much Splunk costs for metric points. I have three metric indexes and let's assume Splunk costs me $1000 a gig. (it doesn't, but need a round number to work with).

How does my math look here?

| mstats count WHERE metric_name=* (index="collectd" OR index="metrics" OR index="winmetrics")
| rename count as "Countofmetrics"
| eval bytes = 150 * Countofmetrics
| eval gigs = bytes / 1024 / 1024 / 1024
| eval cost = 1000 * gigs
| table gigs, cost

niketn
Legend

@daniel333 you should contact Splunk Sales team for this however, as per the documentation it is not just straight 150 bytes. If per event metric data consumes more tat 150 bytes they would still be capped at 150 bytes. So you would need to know the size of each metric payload being sent to metrics index.

https://docs.splunk.com/Documentation/Splunk/latest/Admin/HowSplunklicensingworks#How_data_is_metere...

Second thing is that once you have calculated raw metrics data volume correctly the license cost per GB is same as regular index license cost.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@daniel333 you should check out Splunk .Conf session on what's new with Metrics as the licensing will change a bit in favor of really small sized metric events. For metric event smaller than 150 bytes, actual size will be used and from 150 bytes and above it will be capped to 150 bytes.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gjanders
SplunkTrust
SplunkTrust

FYI @niketnilay, the metrics started been measured as <= 150 bytes as of version 7.3.0, below this version it was 150 bytes for all metrics, above this version 150 bytes is the maximum license cost per metric...

niketn
Legend

Information overload may be 🙂 The session was for Past Present and Future of Metrics and things got mixed up. Thanks for correction!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...