What Size Splunk License Do You Need? Here’s How to Estimate It.

conceptual illustration of different license sizes

What is a Splunk License?

A Splunk license is a file that houses information about your license entitlement. This tells you what your abilities and limitations are within the license including the amount of data you can index per day.

New call-to-action

Types of Splunk Licenses

There are four types of Splunk licenses. Here’s a quick breakdown of each one:

Free Splunk License: Splunk’s free license is a limited version of Splunk Enterprise intended for personal use. It lets Splunk users index data in small volumes of 500MB or less per day and run searches against all public indexes.

Enterprise Splunk License: The enterprise Splunk gives you access to all of the Splunk Enterprise features including machine learning and AI, data streaming, and scalable index. You can also add users and roles.

Dev/Test or Beta License: If you intend to use a Splunk Beta release, you’ll need a different license for it. Free and Enterprise licenses won’t work.

Forwarder License: This Splunk license forwardds unlimited amounts of data and enables secrutiy with a login for each user. This type of license is included in the Splunk Enterprise license.

How big of a Splunk license do I need?

Estimating the Splunk data volume within an environment is not an easy task due to several factors: number of devices, logging level set on devices, data types collected per device, user levels on devices, load volumes on devices, volatility of all data sources, not knowing what the end logging level will be, not knowing which events can be discarded, and many more.

As you begin the process of planning and implementing the Splunk environment, understand that the license size can be increased and the Splunk environment can be expanded quickly and easily if Splunk best practices are followed.

Here is a Kinney Group tested and approved, 7-step process on how to determine what size Splunk license is needed:

  1. Identify and prioritize the data types within the environment.
  2. Install the free license version of Splunk.
  3. Take the highest priority data type and start ingesting its data into Splunk, making sure to start adding servers/devices slowly so the data volume does not exceed the license.  If data volumes are too high, pick a couple of servers/devices from the different types, areas, or locations to get a good representation of the servers/devices.
  4. Review the data to ensure that the correct data is coming in. If there is unnecessary data being ingested, that data can be dropped to further optimize the Splunk implementation.
  5. Make any adjustments to the Splunk configurations needed, and then watch the data volume over the next week to see the high, low, and average size of the data per server/device.
  6. Take these numbers and calculate them against the total number of servers/devices to find the total data volume for this data type.
  7. Repeat this process for the other data types listed until you are completed.

How much does a Splunk License cost?

An Enterprise Splunk License starts at $65 per host, per month and this cost is billed annually. The majority of the cost of Splunk depends on the amount of data you ingest per day which, according to TechTarget, can start at $1,800 per GB. Splunk Enterprise is customized to your organization’s needs, so you’ll need to speak to them directly for 100% accurate pricing.

If you found this helpful… 

You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Cue Atlas Assessment: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. Once you download the app, you’ll get your report in just 30 minutes.

New call-to-action

Event Sequencing in Splunk: How to Use It To Avoid Alert Fatigue

event sequencing diagram

Working in the security space in Splunk, we’re all accustomed to the pressure of security alert management, and security analysts are on the front line of security alert responding. Repeated exposure to alerts can result in “alert fatigue” — monitoring an abundance of alerts ad nauseam.

When your security alerts are too frequent, not descriptive enough, or redundant, this kind of fatigue can leave teams even more exposed to legitimate threats. Put simply, your Splunk environment can start to take on characteristics of the fable, The Boy Who Cried Wolf, and we know how that story ends.

New call-to-action

And we don’t want that for your team. In this post, we’ll show you how to avoid alert fatigue with Splunk Event Sequencing.

What is Event Sequencing?

As a feature of Splunk Enterprise Security, the Event Sequencing engine is a series of chained (sequenced) correlation searches. These searches are triggered based on search criteria and other modifiers. Once the conditions of all sequenced correlation searches are met, a sequenced event that includes all the alert data is generated. Analysts can use this data to make decisions about how to triage alerts.

The best function of Event Sequencing is that it can identify the actionable threats amidst the sea of alerts you receive each day. Using Event Sequencing leads to quicker remediation of security incidents. 

The How-To’s of Event Sequencing

Let’s take a look into how Splunk Event Sequencing works. Sequenced Events start by creating a Sequence Template. With Event Sequencing, out-of-the-box correlation searches, or custom searches, can be used.

You can create the sequencing template to detect specific behavior that an analyst can take immediate action upon. You can follow these graphics below for further reference to creating your sequence templates.

Figure 1 – Create a new Sequence Template
Figure 1 – Create a new Sequence Template
Figure 2 – New Sequence Template
Figure 2 – New Sequence Template
Figure 3 – Sequence Template Settings
Figure 3 – Sequence Template Settings

After the sequence template is created, you will find the triggered events in the Incident Review.

Figure 4 – Triggered Sequenced Template
Figure 4 – Triggered Sequenced Template

Then, you’ll want to filter your events. Click to filter on your “Sequenced Events” for these specific events.

Figure 5 – Filtering to see only triggered sequenced events
Figure 5 – Filtering to see only triggered sequenced events

Once you run your sequenced events, find them at Security Intelligence > Sequence Analysis. Then, you can review your sequence analysis.

Figure 6 – Sequence Analysis
Figure 6 – Sequence Analysis

Threats Minimized, Efficiency Maximized

When you take these best practice tips to Splunk Enterprise Security, your security alerts should be more manageable and consumable. Splunk Event Sequencing is here to help and ensure your Splunk teams are efficient and successful in the security space. With a team of security experts, Kinney Group has years of experience working in Splunk to ensure threats do not slip through the cracks. If you’re interested in our work with Splunk Enterprise Security, let us know below!

New call-to-action

The Beginner’s Guide to Splunk Calculated Fields and Aliases

diagram

A user-friendly search and analytics experience is critical to improving the usability of your data in Splunk. By creating calculated fields in Splunk, users can query new fields with or without altering the original field. Calculated fields can:

  • Correct an original field name that is truncated, misspelled, or abbreviated
  • Correlate or aggregate a field with a similar field from a different sourcetype
  • Better describe the data in the field
  • Create a field to filter data
  • Confirm with the Common Information Model (CIM)

In this post, we’ll break down exactly what a calculated field is, how to create one, and how to create a field alias.

But first, the basics:

What is a Calculated Field in Splunk?

A calculated field is a way to perform repetitive, long, or complex derivations from the calculation of one or more other fields. In short, calculated fields are shortcuts to eval expressions

What is a Field Alias in Splunk?

A field alias is an alternate name that can be assigned to a field. Multiple field aliases can be created for one field. 

Field Alias vs Calculated Field

Though both are search-time operations that make it easier to interact with your original data, the field alias takes precedence over the calculated field. Thus, a field alias cannot be created for fields that were created as a calculated field. Both can override an existing field with the new field. To create the field, the user can either add the field to the configuration file, props.conf, or add it from the Splunk Web GUI.

How to Create a Field Alias from Splunk Web

To create a field alias from Splunk Web, follow these steps:

  1. Locate a field within your search that you would like to alias.
  2. Select Settings > Fields.
  3. Select Field aliases > + Add New.
  4. Then, select the app that will use the field alias.
  5. Select host, source, or sourcetype to apply to the field alias and specify a name.
    1. Note: Enter a wildcard to apply the field to all hosts, sources, or sourcetypes.
  6. Enter the name for the existing field and the new alias.
    1. Note: The existing field should be on the left side, and the new alias should be on the right side.
    2. Note: Multiple field aliases can be added at one time.
  7. (Optional) Select Overwrite field values if you want your field alias to remove the field alias name when the original field does not exist or has no value, or replace the field alias name with the original field name when the field alias name already exists.
  8. Click Save.
Figure 1 - Field Alias from Splunk Web
Figure 1 – Field Alias from Splunk Web

How to Create a Calculated Field from Splunk Web

To create a calculated field from Splunk Web, follow these steps:

  1. Select Settings > Fields.
  2. Select Calculated Fields > + Add New.
  3. Then, select the app that will use the calculated field.
  4. Select host, source, or sourcetype to apply to the calculated field and specify a name.
    1. Note: Enter a wildcard to apply the field to all hosts, sources, or sourcetypes.
  5. Enter the name for the resultant calculated field.
  6. Define the eval expression.
Figure 2 - Calculated Field from Splunk Web
Figure 2 – Calculated Field from Splunk Web

However, one of the things to note is that when you create the field alias or calculated alias in the Splunk Web GUI, the field is saved in the /etc/system/local/props.conf configuration file. If you want the configuration file to live in the app associated with the data you are defining the field for, you have to save the field in the /etc/apps/<app_name_here>/local/props.conf configuration file.

New call-to-action

How to Create a Field Alias or Calculated Field in props.conf

To create a field alias or a calculated field in props.conf:

  1. Navigate to /etc/apps/<app_name_here>/local/props.conf
  2. Open the file using an editor
  3. Locate or create the stanza associated with the host, source, or sourcetype to apply to the field alias or calculated field.
  4. Next, add the following line to a stanza:
[<stanza>]

FIELDALIAS-<class> = <orig_field_name> AS <new_field_name>

EVAL-<field_name> = <eval_statement>
    • <stanza> can be:
      1. host::<host>, where <host> is the host for an event.
      2. source::<source>, where <source> is the source for an event.
      3. <source type>, the source type of an event.
    • Field aliases must be defined with FIELDALIAS.
      1. Note: The term is not case sensitive and the hyphen is mandatory.
      2. <orig_field_name> is the original name of the field. It is case sensitive.
      3. <new_field_name> is the alias to assign to the field. It is case sensitive.
      4. Note: AS must be between the two names and multiple field aliases can be added to the same class.
    • Calculated fields must be defined with EVAL.
      1. Note: The term is not case sensitive and the hyphen is mandatory.
      2. <field_name> is the name of the calculated field. It is case sensitive.
      3. <eval_statement> is the expression that defines the calculated field. Much like the eval search command, it can be evaluated to any value type, including multi-value, boolean, or null.

Creating field aliases and calculated fields help make the data more versatile. By using both the original fields and the new fields, users can create knowledge objects that craft a visual story about what the data represents. A well-crafted data visualization can help users understand trends, patterns, and relationships. Making meaningful correlations will ultimately lead to making better decisions.

Splunk Pro Tip: This type of work can be a considerable resource expense when executing it in-house. The experts at Kinney Group have several years of experience architecting, creating, and solving in Splunk. With Expertise on Demand, you’ll have access to some of the best and brightest minds to walk you through simple and tough problems as they come up.

Kinney Group Expertise on Demand

See for Yourself

Need more Splunk Tips?

As a dedicated Splunk partner with a bench full of experts, we’ve gained valuable insights and understanding of the Splunk platform that can excel your business forward. When it comes to best practice methods, training, and solution delivery, we’ve developed service offerings that can help any organization exceed its Splunk goals. For Splunk tips like this post, check out our Expertise on Demand service offering. If you’re working on projects that require a larger scope and Splunk skills, see what our professional service offerings can deliver for you.

New call-to-action