Installation

Splunk Trail

rashid47010
Communicator

Hi Everyone,

I want to install splunk trail version. I have multiple Domain Controllers, File Servers, Exchange Server, Firewalls.
the idea is to present splunk capabilities.

Please tell me:
1-Trial license is 500 MB/per day so what should be my strategy( how many indexers, search heads and Forwarders I can configure)
2- estimate space required for each data source, for example, for DC how many events can be indexed.
3- what should be my architecture strategy.
4- How can I drop windows events at universal forwarder or Index level.
5- How can I filter network events( should I do this at network device it self .. OR i can drop events at index level.

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

For #1-3: If your desire is to demonstrate/examine Splunk capabilities, then my advice to you is not to stand up your own test infrastructure; you would be MUCH better off simply firing up an ES or ITSI sandbox which has your sourcetypes already coming in.

For #4, there is a github app for cutting down on Windows event sizes that should be easily found with any search engine.

For #5, in general, don't weigh down your indexers doing filter work that can be done any place else.

View solution in original post

0 Karma

deepashri_123
Motivator

Hey@rashid47010,

There are certain limitation for trial license such as clustering and all cannot be done.
Refer this doc for limitations:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Admin/MoreaboutSplunkFree

Let me know if this helps!!!

0 Karma

woodcock
Esteemed Legend

For #1-3: If your desire is to demonstrate/examine Splunk capabilities, then my advice to you is not to stand up your own test infrastructure; you would be MUCH better off simply firing up an ES or ITSI sandbox which has your sourcetypes already coming in.

For #4, there is a github app for cutting down on Windows event sizes that should be easily found with any search engine.

For #5, in general, don't weigh down your indexers doing filter work that can be done any place else.

0 Karma

niketn
Legend

@rashid47010, For point 1 and 3: Refer to Splunk Validated Architectures whitepaper and .conf 2017 Session for the same.

For Point 2: If you have Splunk Admin/Architect provide them with the devices details, volume of data per day/per week and data growth, retention requirement etc. If not reach out to Splunk Sales folks (Sales Rep or Sales Engineer) who might be closely tied to you/your location or else get the help from Professional Services

For point 4: dropping event based on your input data, some data can be filtered via Universal Forwarder using blacklist option ( if they are supported ) in the inputs.conf.

If not you can use nullQueue to filter data from getting indexed. Other option would be to use Scripted Input to Splunk and have your Script drop the unwanted data from being indexed.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rashid47010
Communicator

hi @niketnilay,

thanks for sharing useful information.
I am looking exactly the same.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...