I have a 200 GB/day license installed in the Splunk Enterprise Cluster. The daily usage of license hovers around ~180 constantly in the whole month except mid of the month and end of the month. It reaches ~250 GB on those days, like 5 days in a month.
What is the best way to accommodate the above use case?
1. To buy 250 GB/day license (Which I think it will be useless for the remaining 25 days because it is constantly less than the 200 GB)
2. Is there any way to scale up and scale down the license in terms of pricing?
Thanks in advance!
Is it possible to send the data from the POS to SYSLOG? Then tell splunk to grab data from syslog server on different days? That way you can spread it out? That may only be useful if timely ingestion of the data is NOT important however. Otherwise, I think you are stuck with What RichGalloway posted. He is correct, you should be allowed 5 overages per month. So if you can find a way to keep the overages below 5 that should work then you could pay for a 200GB vice 250GB license. I also have found Splunk is open to negotiating license prices. Have you tried talking to your sales rep? I once negotiated a 75% price decrease for a federal government customer who was storing a lot of data but not Searching it.
The data is time-dependent, so I cannot do as you explained in the first part. However, still I agree, as @richgalloway said, the Splunk team should arrange something regarding the price or the way to solve this problem. I posted here to see if anyone has any idea or anyone faced this scenario already.
I will keep this question open for some time to see if any other response is coming and I will access his answer after some days. Thanks, @Funderburg78 for the suggestions.
You need to take a look at the days that are high for licensing and see what sourcetype are coming in those days. Who are the number one contributors and are they consistently #1 on days NOT exceeding the license? It sounds to me like there are certain key days some application on your network is performing an excessive amount of logging that is not consistent daily. Perhaps it is a patch day and systems are being patched genereating a lot of logs. Perhaps it is a backup/restore day and you are monitoring access of files in directories. Once you identify the culprit, you need to contact the owner of the system and identify what is occuring differently.
Upvote if this helps, reply if you need further clarification.
Thanks for answering this question. Whatever you said is 100% correct to find the culprit which one is causing the spike in the license usage. However, let's say the client is from a retail seller, and every month starting the sale is high and the logs are generated high and the remaining days in the month will not be high as explained in my question.
The point I am trying to make is, there is no culprit who is causing the issue. The design of the application is like that, every month starting the usage is high, so the logs generated by the application are high.
At that level, there is no penalty for violating the license. See https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Aboutlicenseviolations#What_happens_during_...
I believe the "official" answer is to buy an additional license to cover the maximum daily volume. There are other licensing options, however, that do not involve data volume. Contact your Splunk sales rep for more.
There is no sliding license. Go to https://ideas.splunk.com to suggest one.