Getting Data In

How to calculate how much splunk license is enough

architkhanna
Path Finder

I have a splunk Cluster where instances are of following configurations.

--> 16vCPU

--> 64GB Memory

--> 400GB Disk Size.

The source ,  from where my app pulls data , 150k records are generated each day. How do we confirm on the license part which needs to be installed for this scenario? Is there a straight away formula to calculate that?
TIA.

Labels (2)
Tags (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @architkhanna,

the best approach is to analyze license consuption for a period.

Anyway, you could calculate license consuption identifying an average dimension for the events, so if they have around 1kB each one, you could have:

     150,000*1k/1024=140 MB

then you could add a 30% of tolerance, but anyway you need less than 500MB that's the minimum license.

Are you sure that 150k is the number of events per day and not eps? 

in this other case the license consuption is very different:

     150,000*3600*24*1k/1024/1024/1024=12 TB

Check the exact number of events!

Ciao.

Giuseppe

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your app is the only one sending data to Splunk then the license needed is 150k x the average size of a record plus a small margin for occasional overages.

If there are other apps sending data then add in the amount they will send each day.

---
If this reply helps you, Karma would be appreciated.
0 Karma

architkhanna
Path Finder

Thank you for the prompt reply, however, we haven't started indexing the data and we do not know the size of the events yet. The estimate license needs to be confirmed beforehand( which sounds odd to me too).
I would may be assume each event size as ~10kb ( since each record has around 200 fields) and calculate the size.

Thank You.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @architkhanna,

as me and @richgalloway said, you have two choises:

  • to make a PoC to see you data e.g. from one server and make a calculation,
  • to see the dimension of a single event, calculate dimension x number of events,

adding a margin in both cases.

At first glance, 10 kb seems a bit too much for a single event, as it means an average of 10,000 characters for each event (in your case 200 fields each one with 50 chars!), just as an example a Windows event (that is among the most verbose) is always less than 1kb and if we talk about Linux, we normally have less of 0.1 kb.

Anyway, put e.g. 1000 events in a file and see its dimension.

At the same time, check the number og events, because 150k events are the usual number of few windows servers or 2-3 Domain Controllers.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...