Hi everyone,
I'm currently using VMware vRealize Log Insight to collect logs from ESXi hosts, vCenter servers, and NSX components. I then forward these logs to Splunk. However, I've noticed that Log Insight doesn't always parse logs correctly. I'm considering switching to direct integration using the Splunk Add-ons for VMware and NSX.
My Questions:
- Log Volume Reduction: For those who have used Log Insight, what kind of log volume reduction have you achieved through filtering and aggregation before forwarding logs to Splunk?
- License Usage: How does the Splunk license usage compare between using Log Insight for pre-processing and direct ingestion with Splunk Add-ons?
- Best Practices: Are there any best practices or tips for optimizing Splunk license usage with either approach?
Context:
- Current log volume: Approximately 300 GB per day (raw).
- Goals: Improve log parsing accuracy while optimize Splunk license usage.
Any insights or experiences would be greatly appreciated!
Thanks in advance!