Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Optimizing Splunk ES App Licensing Costs: Selective Log Ingestion Strategies

ramesh_babu71
Path Finder
‎02-20-2024 12:11 PM

We are gathering logs from various devices that contain security, performance, and availability-related information. These logs are all being sent to Splunk.

We utilize both Splunk core and the ES App. Since we have to pay separately for both core and the ES App based on ingestion, we are exploring options to minimize costs.

Is there a mechanism available for selecting which logs can be sent to the ES App for processing? If such an option exists, we would only need to send security-specific logs to the ES App, significantly reducing our Splunk ES App licensing costs.

Splunk Enterprise Security

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-06-2024 10:24 PM

This is actually a question to your local Splunk sales representative (or your local Partner since you're probably purchasing licenses through a Partner).

Typically your ES license must match your main SE license volumewise and I've never seen it otherwise. The general idea is that all data you are indexing can be used for ES purposes so the only case where you might be able to have a "partial" ES situation would be if you had two separate licences for two separate environments - one with ES and one without. But that in itself is not something you'll easily get.- honestly I'm not sure if you can get such deal unless you are a huuuuuge customer and have completely disconnected environments (otherwise you're supposed to use a single license manager and split your license into separate licensing stacks).

Bottom line is - your ES license must match the size of your main SE license and it is highly unlikely you'll get it otherwise.

0 Karma
Reply

marnall
Motivator
‎04-06-2024 02:12 PM

I don't know how your licensing differentiates between "Splunk Core" logs and "ES" logs, but if you can find out the technical measure that Splunk uses to decide which category the logs belong to, then there should be a way to configure your Splunk environment to shift logs one way or the other.

E.g. if it's based on sourcetypes or indexes, then those can be changed with props.conf and transforms.conf

if it's based on data models, then those can be changed with eventtypes and tags

if it's based on indexers, then that can be changed with the indexer architecture

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...