Splunk Enterprise Security

Enterprise Security license usage: How do you report/estimate the license volume that has been processed?

ikulcsar
Communicator

Hi,

Because of license renew/upgrade: is there any way to report/estimate the license volume processed by Enterprise Security?

Regards,
István

0 Karma
1 Solution

MuS
Legend

Hi ikulcsar,

This is not really related to Enterprise Security, but just a basic Splunk question. License usage is calculated the same with or without ES, it is based on the amount raw data being indexed.

Read the docs about the LURV here http://docs.splunk.com/Documentation/Splunk/latest/Admin/LicenseUsageReportViewexamples

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

MuS
Legend

Hi ikulcsar,

This is not really related to Enterprise Security, but just a basic Splunk question. License usage is calculated the same with or without ES, it is based on the amount raw data being indexed.

Read the docs about the LURV here http://docs.splunk.com/Documentation/Splunk/latest/Admin/LicenseUsageReportViewexamples

Hope this helps ...

cheers, MuS

0 Karma

ikulcsar
Communicator

Hi,

Thx for the reply. I familiar with the Splunk Enterprise licensing.
We have security related sources along with non-security ones. And there are some partial security and non -security sources.

After all, we don't wanna buy ES license for all the Splunk Enterprise license, somehow we have to measure the log volume processed by ES.
Based on what I've been up to today, I guess there is no built-in solution for this, but maybe someone can help, so I asked.

Regards,
István

0 Karma

MuS
Legend

Well, you can have a look at the license usage by sourcetype based on the LURV to get the numbers.

But you will most likely have two problems:

  1. Your friendly Splunk sales will be hard to convince to go this approach
  2. In case of an incident you will need every single bit of information that you could possibly get out of your systems, so limiting yourself in this regard is dangerous

Just my 2 cents 😉

cheers, MuS

0 Karma

ikulcsar
Communicator

Yep, thx.

That's what I was afraid to do. I have to find out which source is ES relevant, which is not...

Thanx for your time and help.
Regards,
István

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...