Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Splunk Indexing

Hi,

I'm putting together a costing to install Splunk for IronPort reporting, does anyone know of a good way to get an idea of the amount of logs we'd be indexing daily?

Best bet I can think of for the moment is to set it all up with a trial licence and see what I get, we'll be doing it anyway to confirm it does give us what we need.

If anyone has a better idea I'd be grateful.

Many thanks

Chris

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Splunk Indexing

We have recently started testing Splunk for the WSA also, be aware that the trail license only allows for the import of 500MB of log data per day.  The amount of logs you would be indexing depends of the amount of traffic you generate and the size of you log files on a daily basis. Cisco does have a sizing doc based on the transaction numbers you generate.

We worked with our Cisco reps to determine the proper sizing that was needed for our envionment due to our large volume of traffic. I would reachout to you rep for the documentation if you are unable to find it on the website.

I hope this helps.

Dominick

3 REPLIES
New Member

Splunk Indexing

We have recently started testing Splunk for the WSA also, be aware that the trail license only allows for the import of 500MB of log data per day.  The amount of logs you would be indexing depends of the amount of traffic you generate and the size of you log files on a daily basis. Cisco does have a sizing doc based on the transaction numbers you generate.

We worked with our Cisco reps to determine the proper sizing that was needed for our envionment due to our large volume of traffic. I would reachout to you rep for the documentation if you are unable to find it on the website.

I hope this helps.

Dominick

Re: Splunk Indexing

Cheers, and the magin word "sizing" took me to the correct part of the document, which admittedly I hadn't read very thoroughly.

Great answer, we're going to chat with Splunk, I'll give our Cisco rep a call as well.

Thanks again,

Chris

Re: Splunk Indexing

I'm confused, because it seems that this is available on the box...

Couldn't you just ftp to the box, look at the files in the /accesslogs folder, and maybe do some math if you've tweaked the rollover time?  Mine are configed to rollover nightly (which I think is the default), and they range form 800-980 meg a day...

Ken

289
Views
0
Helpful
3
Replies