Hi,
I have a customer who has a 50GB Enterprise license on one network and he wants to add SIEM, but only for a separate network which has a measly 5GB of daily volume. He understandably feels very strongly about being forced to purchase an equivalent 50GB SIEM license when all he needs is 5GB and its even on a completely separate network. Is it possible to have a separate Enterprise + SIEM license for a second network on the same site?
I heard claims that is illegal as far as Splunk is concerned, is there a basis to those claims?
Thanks in advance for your responses.
I wouldn't use words like "illegal", especially since legality may differ between countries but it all depends on your agreement with Splunk. By default you just buy a single Splunk Enterprise license for your organization and a Enterprise Security license which equals your SE size. If you have a specific need (like the necessity to have a two separate licenses because you have two completely unconnected sites which can't be handled by a single license manager), you have to talk with your local Partner/Splunk sales representative. This is a custom case and has to be treated as such. We can't know whether Splunk decides to grant such "license layout" or not.
Hi
you can always ask that splunk split your enterprise license to 5 and 45GB license file. Then ask also 5GB ES license. Then just use separate LM where to put those two 5+5 files and use that for your SIEM instance. This will fulfill official requirements.
r. Ismo
I wouldn't use words like "illegal", especially since legality may differ between countries but it all depends on your agreement with Splunk. By default you just buy a single Splunk Enterprise license for your organization and a Enterprise Security license which equals your SE size. If you have a specific need (like the necessity to have a two separate licenses because you have two completely unconnected sites which can't be handled by a single license manager), you have to talk with your local Partner/Splunk sales representative. This is a custom case and has to be treated as such. We can't know whether Splunk decides to grant such "license layout" or not.