Choosing the right license for your Splunk environment can be a complicated task. We all know by now that Splunk Enterprise is licensed by the amount of data you ingest per day and is sold as a perpetual or term (annual) license – but what license makes the most sense in your environment? In this article, we will investigate what details drive your Splunk license needs and arm you with the tools you need to make the right purchase.
Estimate your data ingestion
The most important component in deciding what Splunk license is right for you is estimating your data needs over time. Think about the problems you want to solve with Splunk – application monitoring, security, sales analytics, or anything else. Consider which of these use cases matter most to you and prioritize of their order of importance. What data sources will you have to collect to analyze and solve these problems and how much data will that be? This is a particularly difficult question to answer – it requires a technical understanding of the systems involved and the nature of the data these systems emit. The amount of data generated by IT systems can fluctuate rapidly from moment to moment. For example, if you were to analyze the amount of data collected from a corporate network device over time you would probably find that device generates 100 times more data during business hours than on weekends. If you were running an e-commerce platform you would probably find spikes of data ingestion from promotions or advertisements.
The single best way to properly estimate your data ingestion needs is to download and install the free trial version of Splunk Enterprise, have a technical resource identify an appropriate sample set and time range of data, and use Splunk to analyze your data ingestion. You can also consider reaching out to a Splunk Partner such as Aditum to work with you through this phase. Knowing the right license size from the start on a Splunk implementation will save you a lot of time and arguments with accounting.
Focus on getting the best possible estimate for the data sources required for your highest priority use case. There are many articles available online that get into more detail on this topic. I’ve provided links which can be found at the end of this article – the best one is titled What size should my Splunk license be. Time permitting, gather estimates for your lower priority use cases and consider what your timeline might be for implementing them – this will be invaluable information for helping you decide between a perpetual or term license. Don’t forget to consider upcoming changes to your organization that might affect your data ingestion rates – are you building another data center (likely would be a big increase in ingestion)? Are you moving into the cloud (likely would result in less data ingestion)?
Predicting everything that could possibly happen to change the amount of data you are ingesting with Splunk is near impossible – which is a big , as of version 6.5, Splunk no longer enforces “hard limits”. In the past these “hard limits” would prevent you from using Splunk to search against your data when you exceeded your license capacity more than 5 times in a month. Start with a best effort estimate and give yourself some headroom to deal with those unexpected spikes in data usage. Splunk tends to expand rapidly in organizations, if a new use case presents itself to you after you’ve made your licensing decision, don’t hesitate to reach out to your Splunk Sales Rep – they can issue additional trial licenses to give you the space you need for testing.