uberAgent

Splunk Data Volume Calculation

When uberAgent is used with Splunk as a backend, a Splunk license is required. Splunk is licensed by daily indexed data volume, i.e., you pay for the total amount of data you send to Splunk per day. How long that data is stored does not matter, only how much new data you add. uberAgent is one of the potentially many data sources that put data into Splunk, contributing to the total data volume.

Estimate or Measure

Customers have a vested interest in knowing how much data each Splunk add-on generates, so they can estimate costs before they buy. In the case of uberAgent, the data volume per host depends greatly on the environment, the types of applications used, the desktop configuration, background processes, the type of browser used and many other variables. For that reason, it is not possible to calculate the data volume with any reasonable accuracy without doing an actual proof of concept implementation (see below). However, if you just want some figures for a very rough first calculation, use the following values for typical clients and servers:

uberAgent UXM data volume

  • Typical data volume per single-user client and working day: 25 MB
  • Typical data volume per multi-user (Citrix CVAD/RDS) server and working day: 90 MB

uberAgent ESA data volume

Using uberAgent ESA in addition to uberAgent UXM will approximately double the data volume per client/server and working day.

Accurate data volume numbers

To get accurate numbers install uberAgent and go to the Data Volume dashboard (see below). You can significantly reduce the data volume through an optimized configuration.

Data Volume Dashboard

If you already have uberAgent installed, you can simply look up the generated data volume by going to the Data Volume dashboard:

uberAgent-Splunk-data-volume-dashboard

Note

Make sure you have configured Splunk correctly or the data volume dashboard may not be able to display values for all metrics.

The dashboard uses macros of the UXM and ESA apps. If you only have the UXM app installed, you see the error message Error in ‘Searchparser’: the search specifies a macro ‘uberAgentESA_score_index’ that cannot be found…. Installing the ESA app solves that issue.

Reducing the Data Volume

Once you have your first installation set up you might want to fine-tune and possibly reduce the data volume. Luckily that is easily possible. Here is how to reduce uberAgent’s data volume.

Splunk Data Volume Calculation