Splunk Value Assessment

How Apto Solutions helped a major financial services platform cost control their Splunk spend.  

Client Overview 

Our customer is one of the UK’s largest mutual life, pensions and investment companies. Its technology estate spans a broad set of security, infrastructure and application teams, all sharing a centralised Splunk Cloud platform that had grown organically over several years. With a licence renewal approaching, the business needed a clear, evidence-based view of how the platform was being used, what it was costing, and how that cost could be allocated fairly across the teams that depended on it. 

 

The Challenge

The Customers Splunk platform had originated on the security side of the business and expanded to serve a much wider set of stakeholders — from Operational Security and Infrastructure Management to Savings, Investments and Data & Integration Technologies. As the platform grew, visibility into its cost and usage became increasingly unclear. Key concerns included: 

• High and rising platform costs with no clear breakdown of who was driving consumption. 

• A large and opaque data estate spanning 97 indexes, 1.6 TB of daily ingest, and over 400 TB of combined searchable and archival storage. 

• 6,400+ saved searches across two search heads, with no systematic view of which were driving licencing cost. 

• No shared cost model, making it difficult to have a fair and productive conversation about licence spend across the business. 

Apto Solutions was engaged to provide an independent, data-led investigation of the Splunk platform with the goal of delivering clear insights into usage, cost drivers, and a practical foundation for a shared cost model. 

 

Our Approach 

Apto’s platform investigation follows a structured discovery process tailored to each client’s environment and objectives. Here, the work was anchored by three parallel workstreams that ran over a 30-day observation window and were supplemented by stakeholder workshops to ground analysis in the human reality of platform use. 

1. Data Usage Analysis

Apto analysed Splunk’s audit index to map search behaviour at the index and sourcetype level across ad-hoc, dashboard, scheduled and API search types. This provided a ground-truth view of what data was actually being queried (as opposed to what was being ingested) and gave a clear picture of which sources carried genuine operational value and which were candidates for reduction or removal. 

2. SVC (Licence Workload) Breakdown

Splunk Virtual Compute (SVC) – the standardised unit of processing cost in Splunk Cloud, was decomposed by type, application, user and individual search. This allowed Apto to pinpoint exactly which workloads were driving licencing cost and quantify the reduction achievable through targeted optimisation. 

3. Shared Cost Model Design

Drawing on the usage and SVC data, Apto designed an evidence-based shared cost model combining compute (SVC) and ingest (GB) on a 70/30 weighting to reflect actual licence mechanics. The model was designed to be practical and operable supporting both a showback phase and a future chargeback regime, while keeping governance simple with a single accountable owner per application and data source. 

 

Key Findings 

A small number of data sources drive most value
A limited set of sources accounts for the vast majority of data ingested. The top 10 make up 89% of total volume, with these also being the most actively used sources within security, highlighting their importance to daily security operations.  

At the same time, there is a clear opportunity to reduce cost by addressing low-value data. Some sources generate large volumes but are rarely used, often containing repetitive or low-value information. Filtering or reducing these would lower costs without impacting outcomes. 

 

Search activity is the main cost driver
Most platform cost is driven by search activity (72%), rather than data ingestion (23%). The majority of this comes from automated processes like scheduled searches and rules. Whilst this means costs are more predictable and controllable, quality of the searches is key, as well as managing the lifecycle of retiring searches no longer required or used. It was noted that a small number of searches account for a disproportionate share of usage.  

 

Creating a Shared Cost Model 

With a clear evidence base in place, Apto designed a practical shared cost model for Splunk Cloud spend. The model is designed to be introduced in two phases: a two-month showback period to give teams visibility of their usage before billing begins, followed by quarterly chargeback using three-month rolling averages. Each application and data source carries a single accountable owner, and workloads in the generic search app are treated as platform overhead, incentivising the platform team to enforce good governance. 

 

Recommendations

Apto’s analysis produced a prioritised set of recommendations spanning immediate optimisation actions, governance changes and a longer-term data strategy.

 

Outcome 

Apto’s Platform Investigation delivered exactly what this customer needed ahead of their Splunk licence renewal: a clear, evidence-based view of who is using the platform, what it is costing, and where the most impactful optimisations lie. For the first time, the customer had a shared language for Splunk cost conversations across domains. 

The shared cost model gives the business a practical, fair mechanism to distribute spend in proportion to actual usage – creating financial accountability, reinforcing good platform hygiene and providing each team with direct levers to reduce their own costs by optimising the searches and data sources they own. With 10–20% SVC savings identifiable from just two searches, the investigation quickly paid for itself and set the foundation for a more mature, cost-conscious approach to platform governance going forward.