Installation

How to install Enterprise Security, licensing and data ingestion

termcap
Path Finder

If I want to buy a subscription for on premise Splunk Enterprise Security, what is the way to go about ?

Some Questions:

1. Is Enterprise Security just an app that is to be installed on Splunk Enterprise or is it a separate Splunk bundle all together ?

2. If I install Splunk Enterprise Security on Splunk Enterprise, will it use the data ingestion license of Splunk Enterprise or will I have to buy a separate ingestion license for Enterprise Security ?

3. Does Splunk Enterprise Security care about the daily ingestion limit or its a function of the underlying Splunk Enterprise installation ?

4. Can I deploy Splunk Enterprise Security as follows:

  1. Install Splunk Enterprise and apply a daily ingestion license of xGB/day.
  2. Buy subscription for Splunk Enterprise Security, download the app and install it on my Splunk Enterprise install.
  3. In case I need to increase the ingestion limit, buy the upgraded license and install it on the Splunk Enterprise ?

5. Can anyone point out a ballpark figure for the price of Splunk Enterprise Security ? 

Thanks,

Termcap

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @termcap,

answering to your questions:

  1. No, buying 50 GBof Splunk and 50 GB of ES you haven't 100 GB you have 50 GB of Splunk and ES.
  2. Yes you have to upgrade both the products: Splunk Enterprise and ES;
  3. For my knowledge you cannot buy a different value for Splunk and ES;
  4. ES Installation requires a training on ES because it has some attentions to use in the installation process, e.g. differently to how you might think, the ES is not installed immediately after Splunk, but first all the TAs must be installed and then the ES.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @termcap,

I try to answer to your questions:

  1. ES is a preimium App that you have to install on a Splunk Enterprise installation;
  2. You have to buy a license fo Splunk Enterpèrise and a license for ES, usually with the same dimension;
  3. ES is a Splunk Premium App, this means tha you are under the Splunk License agreement;
  4. Usually the license for ES is the same of Splunk Enterprise (in terms of dayly indexed data);
  5. For ES pricing, ask to your Splunk Sales, if you haven't you can ask to this URL https://www.splunk.com/en_us/software/pricing/cyber-security.html for an orientative idea, ES licensing is near the 50% of the Splunk Enterprise License, but it depends on many factors, so take care with this evaluation!

Beware that the ES installation isn't so immediate!

Ciao.

Giuseppe

termcap
Path Finder

Thank you for the detailed reply @gcusello , can you please clarify further based on the following context.

Lets say I want to start with 50GB/day indexing limit, does this mean:

1. I have to buy a Splunk Enterprise License for 50GB/day and a Splunk Enterprise Security License for 50GB/day ? Will this mean that I have a total ingestion limit of 100GB/day ? 50GB for Splunk Enterprise and 50GB for Enterprise Security ?

2. If I want to now go from 50GB/day to 60GB/day, I need to buy additional 10GB/day for both Splunk Enterprise and Enterprise Security separately ?

3. Can I buy 50GB/day License for Splunk Enterprise and just 30GB/day License for Enterprise Security if I plan to use my Splunk setup for other purposes as well apart from Enterprise Security ? In this case I will only send ~ 30GB/day to Enterprise Security.

4. What do you mean when you say "Beware that the ES installation isn't so immediate!"

Thanks,

Termcap

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @termcap,

answering to your questions:

  1. No, buying 50 GBof Splunk and 50 GB of ES you haven't 100 GB you have 50 GB of Splunk and ES.
  2. Yes you have to upgrade both the products: Splunk Enterprise and ES;
  3. For my knowledge you cannot buy a different value for Splunk and ES;
  4. ES Installation requires a training on ES because it has some attentions to use in the installation process, e.g. differently to how you might think, the ES is not installed immediately after Splunk, but first all the TAs must be installed and then the ES.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...