As far as I know, the size of the ITSI or ES license a customer buys should be equal to the basic Splunk Enterprise license.
But what if a customer wants to have a single Splunk Enterprise installation dedicated to different uses? For example, a customer buys a 3TB license of which it expects to use 1TB for security related events, 1TB for serivice monitoring and the rest for other uses, mostly business intelligence. Pricing ITSI and ES for 3TB each seems a bit expensive.
Does license pool help here in any way? But even if so, the license pool is allocated per indexer, not per index if I remember correctly. So that would mean the necessity to install separate indexer clusters for each of those uses.
I have understood this, that you must have an equal license for core + es + ITSI for those indexers which have used data. So basically you could have separate license pool if you have also a separate indexers for ITSI and ES. And if this is not enough you could set up totally different environment which has own LM which have only those licences and another LM which have licenses for all other stuff.
r. Ismo
Yeah, that's pretty much what I understand myself.
So you need to separate the workload between different "subenvironments". You can't have - within the same, uniformly licensed environment - for example, different set of indexes for ops monitoring, different set for security and so on. If it's within the same environment, you have to license the whole size.
A bit sad, actually.