We have some new sources that we want to bring into Splunk, but are concerned about license utilization. Is there a way to estimate Splunk usage from a number of hosts without having to deltify each log for it’s per day growth and then summing that up? I guess what I’m looking for is something that I could dump the log to, like a nullQueue, but have it count how much data it would consume. This will help us plan for license growth as we bring new services on. Right now the proposed use case is a pretty big hadoop cluster, but I could also see us indexing application traces and errors for ruby on rails apps.
Well, one thought I had was manual labor and a lot of math, but because I'm lazy and assume others are as well, that's probably out. 🙂
With an enterprise license you can go over your license amount I think 5 times in a 30 day rolling window. With the free license I think it's 3 times. So, as long as you are paying attention and managing the rest of your Splunk environment, you may be able to just pick a day in which you'll enable several new inputs and not worry if you go over license that day.
After a few hours or a day of ingesting those inputs, check your license pages (or the S.o.S. app - you should install that) and see what it's like. You could even set up a license alert - search for those and there are all sorts of great ideas in Answers on some options for some of those. Anyway, keep the inputs that are small enough and get rid of (or figure out how to reduce) the ones that were too big.
Just make sure you don't enable them all on a Friday afternoon and forget about them until Tuesday and have 3 or 4 days of license overage. 😞