Current looking at adding more devices to our Splunk Server and I would like to know how Splunk reads this data in regards to daily volume so I know if our License will still meet the additional logging?
If I have 16 GB daily logs on an Active Directory server, is Splunk going to see this as an additional 16 GB to the daily utilization, or is the data utilization measured after indexing and changing format?
What do you mean by changing format? Splunk does not change the format of the raw data.
License utilization is measured from the raw data, so if you consume 16GB of data on disk, the license utilization will be the same.