Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Licensing for Splunk Enterprise Security

Splunk Enterprise Security is a premium app, which is used in conjunction with Splunk Enterprise or Splunk Cloud Platform. This means that you must have Splunk Enterprise or Splunk Cloud Platform along with a Daily Indexing Volume or vCPU usage license to download the app from the Splunk Support portal.

For example, if you purchase a 1 GB Daily Indexing Volume license for Splunk Enterprise and purchase Splunk Enterprise Security app, you can only ingest 1 GB of data to use in Splunk Enterprise and Enterprise Security. You do not receive any additional ingestion capacity. However, you are entitled to use Splunk Enterprise Security on your ingested data.

Contact your Sales representative to get pricing details based on your specific workload. Splunk Enterprise Security monitors Splunk indexes for Daily Indexing Volume and vCPU consumption, irrespective of whether you are using the on-prem or the cloud version.

Splunk monitors daily indexing volume into Splunk and the use of that data for security use cases. Splunk also monitors the vCPU usage based on the data summarized in Splunk Enterprise Security specific summary and metrics indexes. For more information, see Use Summary indexing for increased search efficiency.

License usage is measured on Daily Indexing Volume for data sources, vCPUs, and SVC. For more information, see Splunk Offerings Purchase Capacity and Limitations.

Track ingestion usage using Chargeback

Follow these steps to access instructions to track ingestion usage by premium apps using the Splunk App for Chargeback:

Instructions to track ingestion usage are included in the app and are refreshed with each new release.

  1. Download and install the Splunk App for Chargeback from Splunkbase.
  2. After installing the Splunk App for Chargeback on your search head or search head cluster, open the app.
  3. Access the documentation by going to the Home dashboard and selecting the Docs tab.
  4. Select the Manual tab and open the manual.
  5. Go to the Appendices chapter and find the article titled "12 - How to Use the App to Track Ingestion Usage by Premium Apps."
  6. Follow the documented steps to track ingestion usage.
Last modified on 31 July, 2024
About Splunk Enterprise Security   Use behavioral analytics service with Splunk Enterprise Security 7.1.0 or higher

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters