@danielbb 

Since your ingestion is minimal (2 GB/day), and assuming you already have on-prem infrastructure:

• Stick with on-prem if you want full control and already have the hardware.
• Choose Ingest-Based Term Licensing for predictable costs and flexibility.
• Consider Splunk Free (500 MB/day) for testing or very small-scale use.

If you're open to cloud and want to reduce operational overhead, Splunk Cloud with pay-as-you-go could be a cost-effective and low-maintenance alternative.

For such a small ingestion volume, Splunk Cloud might be worth considering if:

• You want to avoid infrastructure management.
• You prefer pay-as-you-go pricing 
• You value scalability and ease of updates.

Pricing | Splunk

Currently minimum licence for Cloud is 5GB and it's always for minimum one year. If you want to test with cloud you must use Splunk's free trial which is 14days and you cannot migrate/convert this to official stack after 14d period.

In onprem minimum license is 1GB/day. You could use it for single node or create even multisite cluster with it or anything between those options. With your ingested data amount there is no option to go svc based license in onprem even there is this splunk's offering. This needs much higher daily ingestion amount to be reasonable priced vs. ingestion based license.

Currently SCP (splunk cloud license) are quite nicely priced vs. onprem + hw/virtual capacity/management stuff needed for those so I definitely look SCP for production probably even earlier than 5GB daily base ingestion. Of course it depends on what kind of environment you have and how splunk will be managed there etc.

And of course you quite probably need some nodes (e.g. DS + IHF + DBX HF etc.) into onprem too?

Hi @danielbb 

I think from memory the minimum I've seen a Cloud stack is 50GB, however this is just based on a some of the smaller customers I have worked with. 

It is possible to get ingestion based licenses for on-premises which I believe go from 1GB in chunks, so you would be able to purchase a 2GB license.

I think your best option here is to speak to sales, if you dont have a contact go via https://www.splunk.com/en_us/talk-to-sales/pricing.html?expertCode=sales and tell them you wish to do a PoC etc, they should be able to provide you a proper license for the PoC versus the trial license available online.

Happy Splunking!

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing