When Splunk announces an end to its long-loathed ingest-based volume-pricing model, the replacement per-processor pricing model won’t be any better. As we saw with the SolarWinds hack, the need to send all logs, not just the ones you can afford, remains vital.
How does one send logs efficiently and inexpensively?
We took a closer look at Splunk’s documentation and it was obvious that the cost of per-processor pricing can be shocking. The recommended maximum ingest per-enterprise security indexers is 100 GB per day, therefore:
• 1 TB/day recommended indexer count = 10 indexers
• 10 TB/day recommended indexer count = 100 indexers
Minimum cores per-enterprise security indexer is 16, thus, based on the recommended configuration:
• 1 TB/day = 16 x 10 = 160 cores
• 10 TB/day = 16 x 100 = 1600 cores
So, what happens when you add other Splunk products such as IT Service Infrastructure, Phantom Orchestration or Deployment Servers, Forwarders, or Heavy Forwarders? The numbers of cores required might easily double or triple:
• 1 TB/day Loaded = 16 x (20-30) = 320-480 cores
• 10 TB/day Loaded = 16 x (200-300) = 3200-4800 cores
What are your options for maximum savings?
Did you know that LogZilla NEO ingests, indexes, and displays 10 TB per day on a single 1U server? When using our multi-patented preduplication algorithm, you can reduce 40%-70% of the data flow to Splunk without losing a single byte, then send that enriched data downstream to Splunk, not just the raw data.
The two top benefits of using LogZilla NEO for preduplication include improving the effectiveness and productivity of the downstream Splunk analyst and the significant cost savings, which better allows your organization to invest in other tools and infrastructure.
Ready to watch how LogZilla NEO generates an ROI of greater than 40% in less than 90 days? …That’s right… the more data you send per day, the higher the ROI, and the faster the payback!