The Ultimate Guide to Splunk Pricing in 2023: Ingest vs. Workload Pricing

Choosing the right Splunk pricing option can be complicated, but it doesn’t have to be. 

In this guide to Splunk pricing and licensing, we’ll break down everything you need to know to choose the right option for your organization in 2023. 

View an extended PDF version of this Splunk pricing guide here.

How does Splunk pricing work? 

Splunk has two main platforms — Splunk Cloud and Splunk Enterprise — as well as several add-on applications such as Splunk Enterprise Security, Splunk IT Service Intelligence, and Splunk UBA.  

To purchase these platforms/applications, you’ll choose from two main pricing models: ingest pricing and workload pricing.  

Note that a third pricing option, entity pricing, exists for Splunk’s Cloud Portfolios. For more information about this option, read this article

What is ingest pricing in Splunk? 

Ingest pricing is Splunk’s traditional, volume-based pricing option.  

With ingest pricing, your payments depend on how many GB/day of data you ingest into Splunk. You can choose from several different pricing tiers and scale up or down as needed. 

Because ingest pricing only takes into consideration the volume of your data, you can conduct as many searches on that data as you want at no additional cost. You can also add additional users at no extra cost.   

Ingest pricing is great for people who: 

  • Have very defined, stable volume needs 
  • Want the flexibility to tackle various use cases without needing to pay for additional activity/searches/users 
  • Value the ability to actively administer their search efficiency  

Ingest pricing is available for Splunk Enterprise and select deployments of Splunk Cloud, as well as Splunk Enterprise Security and Splunk IT Service Intelligence.  

Term licenses are available for on-premises, and annual subscriptions are available for cloud solutions. 

What is workload pricing in Splunk? 

Workload pricing is Splunk’s newer, value-based pricing option. 

With workload pricing, your investment is tied to your search activity rather than your data volume. You can ingest as many GB/day as you want* — you’re simply charged for the searches/computations you perform on that data. 

To measure your activity, Splunk uses Central Processing Units (vCPUs) in Splunk Enterprise and Splunk Virtual Compute Units (SVCs) in Splunk Cloud.  

Workload pricing is great for people who: 

  • Want to ingest a lot of data upfront and explore different use cases without worrying about paying per GB 
  • Want to analyze data that varies in value and complexity 
  • Anticipate, and want to be prepared for, unexpected surges in data related to business/market activity 
  • Value having the industry standard pricing model 

Workload pricing is available for Splunk Enterprise and Splunk Cloud, as well as Splunk Enterprise Security, Splunk IT Service Intelligence, and Splunk Data Stream Processor.  

Term licenses are available for on-premises, and annual subscriptions are available for cloud solutions. 

*Storage remains a pricing dimension in workload pricing, but it’s not the primary pricing determinant. 

Ingest pricing vs. workload pricing — which should I choose? 

When it comes to deciding between ingest pricing and workload pricing, you should take a close look at your business environment and zero in on what exactly your goals are with Splunk. 

Go with ingest pricing if you: 

  • Have defined, predictable data needs. 
  • Don’t mind picking and choosing which data to ingest. 
  • Aren’t concerned about unpredictable surges of data based on business/market activity. 
  • Value the freedom to search as widely and frequently as you want at no additional cost.  

Go with workload pricing if you: 

  • Have less defined and less stable data needs. 
  • Want to ingest ALL of your data upfront without limits. 
  • There are two reasons this might be beneficial: 
    • You have high-volume, lower-value data that wouldn’t be searched often but still searched occasionally. 
    • You recognize that oftentimes, you don’t know the value of certain data until you search and analyze it. 
  • Don’t want to be limited in times of data surges based on business/market activity. 
  • Value having the industry standard pricing model. 

It’s also important to check the compatibility of each pricing model with the specific Splunk solution(s) you plan on purchasing. 

I want to use ingest pricing — which license/subscription should I choose? 

Splunk’s ingest pricing plan allows you to choose from several term license options for on-premises solutions and annual subscription options for cloud solutions. These options vary in price according to daily GB allowance. 

So, how do you determine which size is right for you? 

First, narrow down the problem(s) you want to solve with Splunk — consider use cases like security, application performance, and so on. Then, think of the sources you might pull data from to address these use cases, and lastly, try to come up with a rough estimate of how much data this will be. 

This last step is easier said than done, as estimating your data volume requires a strong technical understanding of the systems involved and the nature of the data they emit. 

That’s why the best way to properly estimate your data ingestion needs is to download the free trial version of Splunk Enterprise or Splunk Cloud. From there, a Splunk partner like SP6 can help you identify and ingest an appropriate sample set of data that will give you a better idea of your licensing needs. 

You should also consider any upcoming changes to your organization that may affect ingestion rates, such as moving to the cloud or building another data center. In addition, we recommend building some headroom into your estimate to account for any unexpected data spikes.  

And remember — if a new use case comes up after you’ve made your licensing decision, don’t hesitate to reach out to your Splunk Sales Rep. They can issue additional trial licenses to give you the space you need for testing. 

I want to use workload pricing — which license/subscription should I choose? 

Workload pricing uses a similar framework to ingest pricing, with different pricing tiers in the form of licenses for on-premises and subscriptions for the cloud. 

Rather than tying to GB/day, however, these tiers are based on SVC/vCPU usage.  

SVCs/vCPUs measure the resources needed to conduct different workloads, which can include things like basic reporting, continuous monitoring, compliance, and data lake. Each workload has a unique profile of search vs. ingest, and the combination of these factors is what drives your usage. 

You can use the examples below as a rough guide for anticipating your own workloads; however, we recommend working with a Splunk sales rep for the most accuracy. 

Source: Splunk, 2021, “What is Splunk Virtual Compute (SVC)?” 

Summary 

Both of Splunk’s pricing models — ingest pricing and workload pricing — can be solid options depending on your organization’s needs.  

Ingest pricing is great for companies with stable, predictable data needs who want to pay by GB, while workload pricing is great for companies with less stable data needs who want to pay by search activity.  

Want more help choosing a Splunk pricing option? Contact us for a complimentary consultation, and we’ll help you find the plan that’s best suited to your organization.