Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

May I know how Splunk calculate license usage for Packet collections

nelson_ye
New Member
‎10-11-2017 11:56 PM

Hi All

I want to know how Splunk will calculate license usages for packets collection?
Currently what we are doing is setup monitor sessions on Cisco switches, and then monitor interested vlans' traffics to packet collectors.
For example, i have one packet capture device that have one NIC capturing packets, below are 24 hours collected pkts:
EM2:8749745734122 bytes = 1018GB

So will both those 1018 GB being calculated into license usage?

BR
Nelson

0 Karma
Reply

nelson_ye
New Member
‎10-13-2017 07:22 AM

Hi SSievert

Thanks for your answer, actually we are planning to deploy Splunk in our Environment, we are evaluating license status if it will be enough for current packet capturing. Currently we use another Security product that also can capturing packets and we write rules to do some security related alerts/incidents creation, and also dig out some potential risks in our environment. So besides logs, packet capturing and investigation is also very important for us.

We setup many Use cases that may index packet meta data, like clear text password finding, Botnet tracing and IOC detection, etc.

BR
Nelson

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎10-12-2017 12:39 AM

Nelson,
this is well documented here.
Splunk license usage is based on the actual raw bytes written to disk during indexing in a 24hr period. If you index your packet captures into Splunk and the data represents 1018GB, this is what will be used in license usage calculation.

What is your use case for indexing pcap data...?

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...