Choosing the right Splunk pricing option can be complicated, but it doesn’t have to be.
In this guide to Splunk pricing and licensing, we’ll break down everything you need to know to choose the right option for your organization in 2023.
How does Splunk pricing work?
Splunk has two main platforms — Splunk Cloud and Splunk Enterprise — as well as several add-on applications such as Splunk Enterprise Security, Splunk IT Service Intelligence, and Splunk UBA.
To purchase these platforms/applications, you’ll choose from two main pricing models: ingest pricing and workload pricing.
Note that a third pricing option, entity pricing, exists for Splunk’s Cloud Portfolios. For more information on entity pricing, read this article.
What is ingest pricing in Splunk?
Ingest pricing is Splunk’s traditional, volume-based pricing option.
With ingest pricing, your payments depend on how many GB/day of data you ingest into Splunk. You can choose from several different pricing tiers and scale up or down as needed.
Because ingest pricing only takes into consideration the volume of your data, you can conduct as many searches on that data as you want at no additional cost. You can also add additional users at no extra cost.
Ingest pricing is great for people who:
- Have very defined, stable volume needs
- Want the flexibility to tackle various use cases without needing to pay for additional activity/searches/users
- Value the ability to actively administer their search efficiency
Ingest pricing is available for Splunk Enterprise and select deployments of Splunk Cloud, as well as Splunk Enterprise Security and Splunk IT Service Intelligence. Term licenses are available for on-premises, and annual subscriptions are available for cloud solutions.
What is workload pricing in Splunk?
Workload pricing is Splunk’s newer, value-based pricing option.
With workload pricing, your investment is tied to your search activity rather than your data volume. You can ingest as many GB/day as you want* — you’re simply charged for the searches/computations you perform on that data.
To measure your activity, Splunk uses Central Processing Units (vCPUs) in Splunk Enterprise and Splunk Virtual Compute Units (SVCs) in Splunk Cloud.
Workload pricing is great for people who:
- Want to ingest a lot of data upfront and explore different use cases without worrying about paying per GB
- Want to analyze data that varies in value and complexity
- Anticipate, and want to be prepared for, unexpected surges in data related to business/market activity
- Value having the industry standard pricing model
Workload pricing is available for Splunk Enterprise and Splunk Cloud, as well as Splunk Enterprise Security, Splunk IT Service Intelligence, and Splunk Data Stream Processor. Term licenses are available for on-premises, and annual subscriptions are available for cloud solutions.
*Storage remains a pricing dimension in workload pricing, but it’s not the primary pricing determinant.
Ingest pricing vs. workload pricing — which should I choose?
When it comes to deciding between ingest pricing and workload pricing, zeroing in on what exactly your goals are with Splunk is a must.
Go with ingest pricing if you:
- Have defined, predictable data needs.
- Don’t mind picking and choosing which data to ingest.
- Aren’t concerned about unpredictable surges of data based on business/market activity.
- Value the freedom to search as widely and frequently as you want at no additional cost.
Go with workload pricing if you:
- Have less defined and less stable data needs.
- Want to ingest ALL of your data upfront without limits.
- Why might this be beneficial?
- You have high-volume, lower-value data that wouldn’t be searched often but still searched occasionally.
- You recognize that you often don’t know the value of certain data until you search and analyze it.
- Why might this be beneficial?
- Don’t want to be limited in times of data surges based on business/market activity.
- Value having the industry standard pricing model.
It’s also important to check the compatibility of each pricing model with the specific Splunk solution(s) you plan on purchasing.
I want to use ingest pricing — which license/subscription should I choose?
Splunk’s ingest pricing plan offers several term license options for on-premises solutions and annual subscription options for cloud solutions. These options vary in price according to daily GB allowance.
To determine which option is right for you, first, narrow down the problem(s) you want to solve with Splunk. Then, think of the sources you can pull data from to address these problems, and lastly, try to come up with a rough estimate of how much data this will be.
This last step is easier said than done, as estimating your data volume requires a strong technical understanding of the systems involved and the nature of the data they emit.
That’s why the best way to properly estimate your data ingestion needs is to download the free trial version of Splunk Enterprise or Splunk Cloud. From there, a Splunk partner like SP6 can help you identify and ingest an appropriate sample set of data that will give you a better idea of your licensing needs.
You should also consider any upcoming changes to your organization that may affect ingestion rates, such as moving to the cloud or building another data center. In addition, consider building some headroom into your estimate to account for any unexpected data spikes.
If a new use case comes up after you’ve made your licensing decision, your Splunk Partner can provide additional trial licenses that’ll give you the space you need for testing.
I want to use workload pricing — which license/subscription should I choose?
Workload pricing uses a similar framework to ingest pricing, with different pricing tiers in the form of licenses for on-premises and subscriptions for the cloud. Rather than tying to GB/day, however, these tiers are based on SVC/vCPU usage.
SVCs/vCPUs measure the resources needed to conduct different workloads, which can include things like basic reporting, continuous monitoring, compliance, and data lake. Each workload has a unique profile of search vs. ingest, and the combination of these factors is what drives your usage.
You can use the examples below as a rough guide for anticipating your own workloads, but a certified Splunk consultant will be able to provide the most accuracy.
Source: Splunk, 2021, “What is Splunk Virtual Compute (SVC)?”
Summary
Choosing between Splunk’s pricing models — ingest pricing and workload pricing — requires an intricate understanding of your organization’s data environment. Ingest pricing is great for companies with stable, predictable data needs who want to pay by GB, while workload pricing is great for companies with less stable data needs who want to pay by search activity.
Get started with Splunk with SP6
Ready to get started with Splunk or receive additional guidance on choosing a pricing plan? Our team of 40+ Splunk-certified engineers is here to help. As a 2023 Splunk Partner of the Year, we have a proven track record of helping organizations maximize the value of their Splunk investment.