Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate how much splunk license is enough

architkhanna
Path Finder
‎07-09-2021 05:02 AM

I have a splunk Cluster where instances are of following configurations.

--> 16vCPU

--> 64GB Memory

--> 400GB Disk Size.

The source ,  from where my app pulls data , 150k records are generated each day. How do we confirm on the license part which needs to be installed for this scenario? Is there a straight away formula to calculate that?
TIA.

Labels (2)
Labels
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-09-2021 06:46 AM

Hi @architkhanna,

the best approach is to analyze license consuption for a period.

Anyway, you could calculate license consuption identifying an average dimension for the events, so if they have around 1kB each one, you could have:

     150,000*1k/1024=140 MB

then you could add a 30% of tolerance, but anyway you need less than 500MB that's the minimum license.

Are you sure that 150k is the number of events per day and not eps? 

in this other case the license consuption is very different:

     150,000*3600*24*1k/1024/1024/1024=12 TB

Check the exact number of events!

Ciao.

Giuseppe

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-09-2021 06:11 AM

If your app is the only one sending data to Splunk then the license needed is 150k x the average size of a record plus a small margin for occasional overages.

If there are other apps sending data then add in the amount they will send each day.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

architkhanna
Path Finder
‎07-11-2021 09:55 PM

Thank you for the prompt reply, however, we haven't started indexing the data and we do not know the size of the events yet. The estimate license needs to be confirmed beforehand( which sounds odd to me too).
I would may be assume each event size as ~10kb ( since each record has around 200 fields) and calculate the size.

Thank You.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2021 11:19 PM

Hi @architkhanna,

as me and @richgalloway said, you have two choises:

  • to make a PoC to see you data e.g. from one server and make a calculation,
  • to see the dimension of a single event, calculate dimension x number of events,

adding a margin in both cases.

At first glance, 10 kb seems a bit too much for a single event, as it means an average of 10,000 characters for each event (in your case 200 fields each one with 50 chars!), just as an example a Windows event (that is among the most verbose) is always less than 1kb and if we talk about Linux, we normally have less of 0.1 kb.

Anyway, put e.g. 1000 events in a file and see its dimension.

At the same time, check the number og events, because 150k events are the usual number of few windows servers or 2-3 Domain Controllers.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...