<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 14, 2016 at 1:01 PM, Rick Troth <span dir="ltr"><<a href="mailto:rmt@casita.net" target="_blank">rmt@casita.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="m_-1013153644153941413moz-cite-prefix">[...]<br>
<br>
I found Splunk's gigabyte licensing to be annoying. A customer can
bump into the wall and lose traffic. (I forget the details of the
failure mode.) <br></div></div>
<br></blockquote><div> </div><div>Just to clarify Splunk's licensing is based on daily ingestion of data. So we have a 2TB license at work, but we keep data for 92 days so we have ~184GB of data (not really, but good enough for this conversation)</div></div><br></div><div class="gmail_extra">Traditionally, the fifth day that you breach your license in a rolling 30-day window, the search feature will be disabled but data would still be ingested. During training Splunk would tell you to feel free to violate your license during the freebies; if you have a new deployment you might have historical data to load etc. They would also advertise that your first couple of times calling them to unlock search the first person you talked to would immediately give you a code to unlock searching.</div><div class="gmail_extra"><br></div><div class="gmail_extra">At .conf 2016 (October 27-29) they announced they were changing the failure mode. Starting in 6.5 (released at the conference), they will no longer be disabling searching. The justification was that pain typically comes at really bad times for companies (e.g. during an extended DOS attack). They said for details to ask your sales rep and I was not able to get good details. Most people assume they have built some sort of phone home in; I did read something about having to manually upload usage information if your system is unable to automatically phone home, but we just upgraded to 6.4 and will wait until at least spring to go to 6.5</div><div class="gmail_extra"><br></div><div class="gmail_extra">Is Splunk interesting? From our perspective, absolutely! While a few fields are extracted at index time (data ingestion), most fields are extracted when you perform a search. Since we have a very diverse I.T. environment as we have a number of independent I.T. shops so we don't have standardized technologies nor do we have central change management, so being able to bring the data in and then update field extractions on the fly is a critical feature for us. Also, since we have no central configuration management, having the deployment server to enable the Splunk team to manage the forwarders (agent software that send data to Splunk) is a huge win.<br><br>In terms of features, Splunk is quite rich; it can read anything that can be converted to textual data, the forwarders can run scripts, they have an http event collector for injecting JSON events, they have Hunk that lets you layer Splunk on top of Hadoop and various no-sql database, they have dbconnect for sql databases etc.<br><br>Is it worth tracking Splunk Live? I'm probably biased since in practice I'm dedicated to our Splunk implementation and I spoke at the Splunk>Live event in Columbus last year, so I wasn't going to weight in, but... Generally I tell people its half sales and half technical. A number of people there will be potential customers, so they're trying to help them see the problems it helps other customers solve. That would make me lean towards maybe not; the fact that even though they are very open and extensible it is closed source makes me further lean maybe not.</div><div class="gmail_extra"><br></div><div class="gmail_extra">If people have questions about Splunk I'd be happy to try to answer them; I've worked on OSU's implementation for over three years (2TB license, thousands of forwarders, 600+ source ypes) and I report to Mark Runals who founded the Columbus user group (happy to help people join if interested). I'm not convinced Splunk is really on-topic for this mailing list, so feel free to e-mail me directly.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Thanks,</div><div class="gmail_extra">Bill</div></div>