Splunk Enterprise Security

Enterprise Security license usage: How do you report/estimate the license volume that has been processed?

ikulcsar
Communicator

Hi,

Because of license renew/upgrade: is there any way to report/estimate the license volume processed by Enterprise Security?

Regards,
István

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi ikulcsar,

This is not really related to Enterprise Security, but just a basic Splunk question. License usage is calculated the same with or without ES, it is based on the amount raw data being indexed.

Read the docs about the LURV here http://docs.splunk.com/Documentation/Splunk/latest/Admin/LicenseUsageReportViewexamples

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi ikulcsar,

This is not really related to Enterprise Security, but just a basic Splunk question. License usage is calculated the same with or without ES, it is based on the amount raw data being indexed.

Read the docs about the LURV here http://docs.splunk.com/Documentation/Splunk/latest/Admin/LicenseUsageReportViewexamples

Hope this helps ...

cheers, MuS

0 Karma

ikulcsar
Communicator

Hi,

Thx for the reply. I familiar with the Splunk Enterprise licensing.
We have security related sources along with non-security ones. And there are some partial security and non -security sources.

After all, we don't wanna buy ES license for all the Splunk Enterprise license, somehow we have to measure the log volume processed by ES.
Based on what I've been up to today, I guess there is no built-in solution for this, but maybe someone can help, so I asked.

Regards,
István

0 Karma

MuS
SplunkTrust
SplunkTrust

Well, you can have a look at the license usage by sourcetype based on the LURV to get the numbers.

But you will most likely have two problems:

  1. Your friendly Splunk sales will be hard to convince to go this approach
  2. In case of an incident you will need every single bit of information that you could possibly get out of your systems, so limiting yourself in this regard is dangerous

Just my 2 cents 😉

cheers, MuS

0 Karma

ikulcsar
Communicator

Yep, thx.

That's what I was afraid to do. I have to find out which source is ES relevant, which is not...

Thanx for your time and help.
Regards,
István

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...