I want to know how Splunk will calculate license usages for packets collection?
Currently what we are doing is setup monitor sessions on Cisco switches, and then monitor interested vlans' traffics to packet collectors.
For example, i have one packet capture device that have one NIC capturing packets, below are 24 hours collected pkts:
EM2:8749745734122 bytes = 1018GB
So will both those 1018 GB being calculated into license usage?
Thanks for your answer, actually we are planning to deploy Splunk in our Environment, we are evaluating license status if it will be enough for current packet capturing. Currently we use another Security product that also can capturing packets and we write rules to do some security related alerts/incidents creation, and also dig out some potential risks in our environment. So besides logs, packet capturing and investigation is also very important for us.
We setup many Use cases that may index packet meta data, like clear text password finding, Botnet tracing and IOC detection, etc.
this is well documented here.
Splunk license usage is based on the actual raw bytes written to disk during indexing in a 24hr period. If you index your packet captures into Splunk and the data represents 1018GB, this is what will be used in license usage calculation.