Hi everyone,

I'm currently using VMware vRealize Log Insight to collect logs from ESXi hosts, vCenter servers, and NSX components. I then forward these logs to Splunk. However, I've noticed that Log Insight doesn't always parse logs correctly. I'm considering switching to direct integration using the Splunk Add-ons for VMware and NSX.

My Questions:

1. Log Volume Reduction: For those who have used Log Insight, what kind of log volume reduction have you achieved through filtering and aggregation before forwarding logs to Splunk?
2. License Usage: How does the Splunk license usage compare between using Log Insight for pre-processing and direct ingestion with Splunk Add-ons?
3. Best Practices: Are there any best practices or tips for optimizing Splunk license usage with either approach?

Context:

• Current log volume: Approximately 300 GB per day (raw).
• Goals: Improve log parsing accuracy while optimize Splunk license usage.

Any insights or experiences would be greatly appreciated!

Thanks in advance!