Splunk Data Volume Calculation
When uberAgent is used with Splunk as a backend, a Splunk license is required. Splunk is licensed by daily indexed data volume, i.e., you pay for the total amount of data you send to Splunk per day. How long that data is stored does not matter, only how much new data you add. uberAgent is one of the potentially many data sources that put data into Splunk, contributing to the total data volume.
Customers have a vested interest in knowing how much data each Splunk add-on generates so they can estimate costs before they buy. In the case of uberAgent, the data volume per host depends greatly on the environment, the types of applications used, the desktop configuration, background processes, the type of browser used and many other variables. For that reason, it is not possible to calculate the data volume with any reasonable accuracy without doing an actual proof of concept implementation (see below). However, if you just want some figures for a very rough first calculation, use the following values for typical clients and servers:
- Typical data volume per single-user client and working day: 25 MB
- Typical data volume per multi-user (Citrix VAD/RDS) server and working day: 90 MB
Using uberAgent ESA in addition to uberAgent UXM will approximately double the data volume per client/server and working day.
To get accurate numbers install uberAgent and go to the Data Volume dashboard (see below). You can significantly reduce the data volume through an optimized configuration.
If you already have uberAgent installed, you can simply look up the generated data volume by going to the Data Volume dashboard:
Make sure you have configured Splunk correctly or the data volume dashboard may not be able to display values for all metrics.
Once you have your first installation set up you might want to fine-tune and possibly reduce the data volume. Luckily that is easily possible. Here is how to reduce uberAgent’s data volume.