Skip to content
Article

What Size Splunk License Do You Need? Here’s How to Estimate It.

conceptual illustration of different license sizes

What is a Splunk License?

A Splunk license is a file that houses information about your license entitlement. This tells you what your abilities and limitations are within the license including the amount of data you can index per day.

New call-to-action

Types of Splunk Licenses

There are four types of Splunk licenses. Here’s a quick breakdown of each one:

Free Splunk License: Splunk’s free license is a limited version of Splunk Enterprise intended for personal use. It lets Splunk users index data in small volumes of 500MB or less per day and run searches against all public indexes.

Enterprise Splunk License: The enterprise Splunk gives you access to all of the Splunk Enterprise features including machine learning and AI, data streaming, and scalable index. You can also add users and roles.

Dev/Test or Beta License: If you intend to use a Splunk Beta release, you’ll need a different license for it. Free and Enterprise licenses won’t work.

Forwarder License: This Splunk license forwardds unlimited amounts of data and enables secrutiy with a login for each user. This type of license is included in the Splunk Enterprise license.

How big of a Splunk license do I need?

Estimating the Splunk data volume within an environment is not an easy task due to several factors: number of devices, logging level set on devices, data types collected per device, user levels on devices, load volumes on devices, volatility of all data sources, not knowing what the end logging level will be, not knowing which events can be discarded, and many more.

As you begin the process of planning and implementing the Splunk environment, understand that the license size can be increased and the Splunk environment can be expanded quickly and easily if Splunk best practices are followed.

Here is a Kinney Group tested and approved, 7-step process on how to determine what size Splunk license is needed:

  1. Identify and prioritize the data types within the environment.
  2. Install the free license version of Splunk.
  3. Take the highest priority data type and start ingesting its data into Splunk, making sure to start adding servers/devices slowly so the data volume does not exceed the license.  If data volumes are too high, pick a couple of servers/devices from the different types, areas, or locations to get a good representation of the servers/devices.
  4. Review the data to ensure that the correct data is coming in. If there is unnecessary data being ingested, that data can be dropped to further optimize the Splunk implementation.
  5. Make any adjustments to the Splunk configurations needed, and then watch the data volume over the next week to see the high, low, and average size of the data per server/device.
  6. Take these numbers and calculate them against the total number of servers/devices to find the total data volume for this data type.
  7. Repeat this process for the other data types listed until you are completed.

How much does a Splunk License cost?

An Enterprise Splunk License starts at $65 per host, per month and this cost is billed annually. The majority of the cost of Splunk depends on the amount of data you ingest per day which, according to TechTarget, can start at $1,800 per GB. Splunk Enterprise is customized to your organization’s needs, so you’ll need to speak to them directly for 100% accurate pricing.

If you found this helpful… 

You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Cue Atlas Assessment: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. Once you download the app, you’ll get your report in just 30 minutes.

New call-to-action

Author