Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate how much splunk license is enough

architkhanna
Path Finder
‎07-09-2021 05:02 AM

I have a splunk Cluster where instances are of following configurations.

--> 16vCPU

--> 64GB Memory

--> 400GB Disk Size.

The source ,  from where my app pulls data , 150k records are generated each day. How do we confirm on the license part which needs to be installed for this scenario? Is there a straight away formula to calculate that?
TIA.

Labels (2)
Labels
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-09-2021 06:46 AM

Hi @architkhanna,

the best approach is to analyze license consuption for a period.

Anyway, you could calculate license consuption identifying an average dimension for the events, so if they have around 1kB each one, you could have:

     150,000*1k/1024=140 MB

then you could add a 30% of tolerance, but anyway you need less than 500MB that's the minimum license.

Are you sure that 150k is the number of events per day and not eps? 

in this other case the license consuption is very different:

     150,000*3600*24*1k/1024/1024/1024=12 TB

Check the exact number of events!

Ciao.

Giuseppe

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-09-2021 06:11 AM

If your app is the only one sending data to Splunk then the license needed is 150k x the average size of a record plus a small margin for occasional overages.

If there are other apps sending data then add in the amount they will send each day.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

architkhanna
Path Finder
‎07-11-2021 09:55 PM

Thank you for the prompt reply, however, we haven't started indexing the data and we do not know the size of the events yet. The estimate license needs to be confirmed beforehand( which sounds odd to me too).
I would may be assume each event size as ~10kb ( since each record has around 200 fields) and calculate the size.

Thank You.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2021 11:19 PM

Hi @architkhanna,

as me and @richgalloway said, you have two choises:

  • to make a PoC to see you data e.g. from one server and make a calculation,
  • to see the dimension of a single event, calculate dimension x number of events,

adding a margin in both cases.

At first glance, 10 kb seems a bit too much for a single event, as it means an average of 10,000 characters for each event (in your case 200 fields each one with 50 chars!), just as an example a Windows event (that is among the most verbose) is always less than 1kb and if we talk about Linux, we normally have less of 0.1 kb.

Anyway, put e.g. 1000 events in a file and see its dimension.

At the same time, check the number og events, because 150k events are the usual number of few windows servers or 2-3 Domain Controllers.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...