An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the index?
An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the index?
Adding 200 GB of historical data each day for 50 days minimizes the risk of license issues because it allows the total daily data volume (including the 300 GB of new data) to remain within the 500 GB license limit. This approach ensures that no daily license violations occur by distributing the historical data ingestion evenly across multiple days, thus avoiding any chances of triggering warnings or violations due to exceeding the daily volume.
getting one warning is better than risking 50 times getting warnings and end up with a violation
Disagree. It says 24h period but the License warning is based on the incoming Data until the day ends/Midnight. So if you end up putting in 10TB over 24h you might risk getting two violations. In an example like this where there arent any other variables that could mess up the 300/200 Split, D is the correct answer to minimize. In a real World example it may look different though..
D . 300GB is already coming in daily... now you can add only 200GB more each day... this way you'll have to split the 10TB historical data over 50 days ... and this'll solve the problem 300GB + 200GB Historical day = 500GB - which is under the license violation
Answer is D, since the question is asking "To minimize license issues, what is the best way to add 10 TB of historical data to the index?"....I think the key word is "minimize".
I agree (that C) but it will be license warning, not violation.
Question does not explicitly say license warning or even violation, instead it states, "To minimize license issues"
I agree. The question is not very "real world", but D would incur no license violations and therefore "minimize" license issues
It says "To minimize license issues". Transferring 200GB every day when you are using 300GB daily means that even 1MB above that will trigger an alert. As the Splunk Documentations says: To avoid license warnings, monitor the license usage over time and ensure that you have sufficient license volume to support your daily license use
Per the provided Reference URL https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations Scrolling down to the section titled, Avoiding license warnings, reads To avoid license warnings, monitor the license usage over time and ensure that you have sufficient license volume to support your daily license use: - Use the license usage report view on the license to troubleshoot index volume. - Enable an alert on the monitoring console to monitor daily license usage.
minimize- reduce (something, especially something unwanted or unpleasant) to the smallest possible amount or degree. Answer has to be D as it will allow you to ingest all the data with the least amount of license issues within the givne parameters. Also there is no way splunk is going to suggest that the best way to ingest large amounts of data is to violate their license agreement.
C sounds better, it's one time shot. Adding 200GB data during next 50 days doesn't minimize issue since it causes 50 chances of license warnings (5 warnings causes violation)
it does minimize license issue. we are not talking about data migration issue here. we are talking about license issue. if you are getting alert or warning, or violation....those are the license issue.
I think the Ans is C Adding the 10TB historical data within 24hours of license usage will trigger license violation only once.
I vote D it makes more sense and would minimize any license issues.
from the discussion on the following link it seems D is the better option maybe not the right but the better. https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations
Answer D Do NOT ever go over your license quota violations are pricy; IT IS NOT BEST PRACTICE If we are only indexing 10TB of data once; no need for a license increase because it cost more money data will be a one shot upload
https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations "An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate." Then the answer is C Add all 10 TB in a single 24 hour period given the 500GB license will not have a violation.
D. The best way to add 10 TB of historical data to the index without violating the daily license volume is option D: Add 200 GB of historical data each day for 50 days. Here's why each option stands as it does: A. Buying a bigger Splunk license would indeed solve the problem, but it's not the most cost-effective solution if you only need to index the historical data once. B. Adding 2.5 TB each day for the next 5 days would exceed the daily license volume of 500 GB, likely causing a license violation. C. Adding all 10 TB in a single 24-hour period would far exceed the daily volume allowed by the license, leading to a significant license violation. D. Adding 200 GB of historical data each day for 50 days would keep the total daily volume (new data + historical data) at 500 GB, avoiding any license violations. This approach utilizes the full capacity of the license without exceeding it, allowing the historical data to be indexed systematically over time without incurring additional costs or license issues.
C looks good to me. Adding the 10TB historical data within 24hours. Exeeding Indexing daily quota onece will trigger 1 alert then a warning but just when hitting 5 warnings in a 30 days will trigger a violation.
Friends, could you please confirm this answer C or D?