How to estimate license requirements for new data sources from a number of hosts?

New Member

We have some new sources that we want to bring into Splunk, but are concerned about license utilization. Is there a way to estimate Splunk usage from a number of hosts without having to deltify each log for it’s per day growth and then summing that up? I guess what I’m looking for is something that I could dump the log to, like a nullQueue, but have it count how much data it would consume. This will help us plan for license growth as we bring new services on. Right now the proposed use case is a pretty big hadoop cluster, but I could also see us indexing application traces and errors for ruby on rails apps.

Labels (1)
0 Karma


Well, one thought I had was manual labor and a lot of math, but because I'm lazy and assume others are as well, that's probably out. 🙂

With an enterprise license you can go over your license amount I think 5 times in a 30 day rolling window. With the free license I think it's 3 times. So, as long as you are paying attention and managing the rest of your Splunk environment, you may be able to just pick a day in which you'll enable several new inputs and not worry if you go over license that day.

After a few hours or a day of ingesting those inputs, check your license pages (or the S.o.S. app - you should install that) and see what it's like. You could even set up a license alert - search for those and there are all sorts of great ideas in Answers on some options for some of those. Anyway, keep the inputs that are small enough and get rid of (or figure out how to reduce) the ones that were too big.

Just make sure you don't enable them all on a Friday afternoon and forget about them until Tuesday and have 3 or 4 days of license overage. 😞

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...