Choosing the right license for your Splunk environment can be a complicated task. We all know by now that Splunk Enterprise is licensed by the amount of data you ingest per day and is sold as a perpetual or term (annual) license – but what license makes the most sense in your environment? In this article, we will investigate what details drive your Splunk license needs and arm you with the tools you need to make the right purchase.
Estimate your data ingestion
The most important component in deciding what Splunk license is right for you is estimating your data needs over time. Think about the problems you want to solve with Splunk – application monitoring, security, sales analytics, or anything else. Consider which of these use cases matter most to you and prioritize of their order of importance. What data sources will you have to collect to analyze and solve these problems and how much data will that be? This is a particularly difficult question to answer – it requires a technical understanding of the systems involved and the nature of the data these systems emit. The amount of data generated by IT systems can fluctuate rapidly from moment to moment. For example, if you were to analyze the amount of data collected from a corporate network device over time you would probably find that device generates 100 times more data during business hours than on weekends. If you were running an e-commerce platform you would probably find spikes of data ingestion from promotions or advertisements.
The single best way to properly estimate your data ingestion needs is to download and install the free trial version of Splunk Enterprise, have a technical resource identify an appropriate sample set and time range of data, and use Splunk to analyze your data ingestion. You can also consider reaching out to a Splunk Partner such as Aditum to work with you through this phase. Knowing the right license size from the start on a Splunk implementation will save you a lot of time and arguments with accounting.
Focus on getting the best possible estimate for the data sources required for your highest priority use case. There are many articles available online that get into more detail on this topic. I’ve provided links which can be found at the end of this article – the best one is titled What size should my Splunk license be. Time permitting, gather estimates for your lower priority use cases and consider what your timeline might be for implementing them – this will be invaluable information for helping you decide between a perpetual or term license. Don’t forget to consider upcoming changes to your organization that might affect your data ingestion rates – are you building another data center (likely would be a big increase in ingestion)? Are you moving into the cloud (likely would result in less data ingestion)?
Predicting everything that could possibly happen to change the amount of data you are ingesting with Splunk is near impossible – which is a big , as of version 6.5, Splunk no longer enforces “hard limits”. In the past these “hard limits” would prevent you from using Splunk to search against your data when you exceeded your license capacity more than 5 times in a month. Start with a best effort estimate and give yourself some headroom to deal with those unexpected spikes in data usage. Splunk tends to expand rapidly in organizations, if a new use case presents itself to you after you’ve made your licensing decision, don’t hesitate to reach out to your Splunk Sales Rep – they can issue additional trial licenses to give you the space you need for testing.
Choosing the right Splunk license
Once you have a good idea of how much data you’ll be ingesting per day, you will have to consider whether a perpetual or term license makes more sense for you. Splunk is also offered as a managed service, Splunk Cloud, but cloud versus on premise is another discussion entirely – for the purposes of this article we’ll assume you’re planning on deploying Splunk on premise. Splunk openly lists their North America pricing for licenses up to 100 GB/day in size on their website. As of the writing of this article, the prices are as follows below:
|Daily Index||Perpetual License||Annual Term License|
|Volume||(per GB)||(per GB)|
|>100 GB/day||Contact Sales||Contact Sales|
As you might expect, the larger the license, the less you pay per GB/day. At first glance, you will notice each of the perpetual licenses cost 2.5 times as much as the corresponding term license – leading you to believe your ROI for committing to a perpetual license is 2.5 years. This, however, does not factor in the cost of support – on a term license support is included, on a perpetual license support is 20% of the volume license cost (25% for global support). You are only required to purchase support for the first year of your perpetual license, but realistically you’ll need support for the life of the license.
|50 GB/day License||Perpetual Cost||Perpetual Total||Term Total||Annual Term Cost|
|Year 1||$95,000 + $19,000 support||$114,000||$38,000||$38,000|
Perpetual licenses pay the greatest dividends when you do not expect your license needs to change drastically over the course of 5 years or more. This is why it is imperative that you estimate your realistic data needs and forecast future changes as well as possible. Knowing that Splunk spreads like wildfire once it is introduced to an organization, consider starting with a term license as you continue to identify new and probable use cases. Once Splunk has earned some wins for your organization it will be a lot easier to have a discussion about a perpetual license.
There are also some intangible benefits to committing to a perpetual license, especially for administrators. Once you’ve adopted a perpetual license, administrators are no longer burdened with fighting for Splunk budget every cycle. Also some organizations have a habit of moving quickly from product to product – oftentimes before the original product is even fully deployed.
Already have a Splunk license? Learn how to reduce its usage
Explore ways you can reduce your Splunk license consumption and better align your Splunk usage with your organizations strategic goals.
In a perfect world, you would know exactly what size license you need and when you will need it. Realistically, we make an educated guess and build in some headroom for ourselves. The more accurately you estimate your license needs, the better. You don’t want to overbuy, but constantly having ‘license anxiety’ can be crippling to your environment. If you are looking at deploying Splunk for the first time in an organization, I highly recommend starting with a term license until your needs are better defined. If you’re at an organization that already has a firm grasp on your own Splunk usage, consider committing to a perpetual license saving you time, energy, and money in the long run.
Additional Decision Making Tools
Splunk also offers some incredibly high-value, no-charge assessment tools to current and prospective customers that offer guidance in the decision making process:
- Data Source Assessments. DSA’s captures the data used by various teams (IT Ops, Security, App Dev) and identifies opportunities to drive additional, hidden value through the reuse of the same data already indexed by other teams. Reuse of data can increase the benefits of a Splunk deployment and increase ROI.
- Interactive Value Assessment. The IVA quantifies the IT and business value of current and future Splunk deployment and use and generates a CxO-ready business case to support an investment. The IVA moves the conversation from “look what Splunk is capable of” and puts economic numbers on Splunk’s ROI and payback periods.
Please stay tuned for additional future articles that describe each of these no-charge services/offers and how Aditum could assist in their delivery, as well as an upcoming article comparing Splunk Cloud to the on-prem options discussed above.
If you need help estimating your data needs, purchasing a Splunk license, building a business case through an IVA or DSA, or dealing with any and all things Splunk please reach out to us.
Data Usage Estimation
Aditum (Latin: “to access”) is professional services firm specializing in next-generation Analytics solutions based upon the Splunk platform. The company is quickly building one of North America’s largest and most accomplished Splunk professional services team with extensive experience across all of Splunk’s major use cases including IT Ops, Security, DevOps, Business Analytics and IoT.
Aditum’s Splunk Certified Architects and Splunk Certified Consultants drive client success with initial Splunk deployments, environment upgrades/scaling, building of dashboards/searches/reports and Splunk health checks. Aditum also has a team of accomplished Splunk Developers that focus on the development of Splunk apps and technical add-ons.