Installation

How to estimate license requirements for new data sources from a number of hosts?

techmjohnson
New Member

We have some new sources that we want to bring into Splunk, but are concerned about license utilization. Is there a way to estimate Splunk usage from a number of hosts without having to deltify each log for it’s per day growth and then summing that up? I guess what I’m looking for is something that I could dump the log to, like a nullQueue, but have it count how much data it would consume. This will help us plan for license growth as we bring new services on. Right now the proposed use case is a pretty big hadoop cluster, but I could also see us indexing application traces and errors for ruby on rails apps.

Labels (1)
0 Karma

Richfez
SplunkTrust
SplunkTrust

Well, one thought I had was manual labor and a lot of math, but because I'm lazy and assume others are as well, that's probably out. 🙂

With an enterprise license you can go over your license amount I think 5 times in a 30 day rolling window. With the free license I think it's 3 times. So, as long as you are paying attention and managing the rest of your Splunk environment, you may be able to just pick a day in which you'll enable several new inputs and not worry if you go over license that day.

After a few hours or a day of ingesting those inputs, check your license pages (or the S.o.S. app - you should install that) and see what it's like. You could even set up a license alert - search for those and there are all sorts of great ideas in Answers on some options for some of those. Anyway, keep the inputs that are small enough and get rid of (or figure out how to reduce) the ones that were too big.

Just make sure you don't enable them all on a Friday afternoon and forget about them until Tuesday and have 3 or 4 days of license overage. 😞

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...