Installation

If my applications log total is 10GB, do I need to buy a 10GB splunk license ?

raj_mpl
Path Finder

If the log data will be sent to splunk indexer after compression, how much splunk license do I need to buy?
EX: If the total raw log size from different applications is nearly equal to 4 GB, how many licenses do I need to buy?

Thanks, everyone.

Labels (1)
0 Karma
1 Solution

493669
Super Champion

raw data size that will be ingested in splunk is directly proportional to license size. As the compression will happen once the data is indexed.
So for 4 gb/day raw log data, splunk license value will be 4 gb/day .

For event data, data volume is based on the amount of raw external data that the indexer ingests into its indexing pipeline, after any filtering. It is not based on the amount of compressed data that gets written to disk.

See here for more:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/HowSplunklicensingworks

View solution in original post

0 Karma

raj_mpl
Path Finder

Thank you very much for all ..

0 Karma

sudosplunk
Motivator

Splunk blog has really amazing information about how much license you should buy and the factors to estimate data ingestion. Have a look..,

https://www.splunk.com/blog/2016/05/06/what-size-should-my-splunk-license-be.html

0 Karma

493669
Super Champion

raw data size that will be ingested in splunk is directly proportional to license size. As the compression will happen once the data is indexed.
So for 4 gb/day raw log data, splunk license value will be 4 gb/day .

For event data, data volume is based on the amount of raw external data that the indexer ingests into its indexing pipeline, after any filtering. It is not based on the amount of compressed data that gets written to disk.

See here for more:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/HowSplunklicensingworks

View solution in original post

0 Karma

HiroshiSatoh
Champion

What is saying compression?
Is it to delete unnecessary events and fields from raw logs?

Since Splunk's license is the amount of logs per day, if you want to capture the raw log as it is, you need a license for the amount of log of the raw log.

If you delete events and fields from the raw log beforehand, the amount of deleted log will be the license fee.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!