Vendor / Splunk

Splunk pricing in 2026: per-GB costs, Cloud vs Enterprise, and real spend

The independent Splunk pricing reference. List prices, workload SVC tiers, Cloud vs Enterprise trade-offs, and five real cost scenarios from startup to MSSP. Updated April 2026.

Pricing model

Per GB ingested

Workload SVC tiers since .conf21

List range

$1,800-$3,500

Per GB per year, Cloud

Min. commit

~$30K

Splunk Cloud entry tier

EA discount

25-40%

Multi-year, $500K+ list

How Splunk pricing actually works

Splunk's headline model is per-GB ingested per day, billed monthly or annually depending on contract. The meter starts the moment a log line crosses the forwarder. Compression in storage does not reduce the bill: 1 GB ingested is 1 GB billed regardless of how it sits at rest. That single rule is the single biggest reason Splunk bills run away from forecast.

Workload-based pricing was opened to all Splunk Cloud customers at .conf21 in 2021 and has since become the default-recommended model on new Cloud agreements. It swaps pure ingest for a Splunk Virtual Compute (SVC) unit. SVCs measure search compute, not raw ingest. For predictable, search-heavy workloads this saves 15-25 percent. For ingest-heavy compliance use cases it can run slightly higher than the legacy per-GB model. Read your contract carefully.

On top of base ingest, Splunk sells premium apps that most genuine SIEM deployments require. Enterprise Security (ES) adds 30-60 percent. IT Service Intelligence (ITSI) is a separate line. Splunk SOAR is sold separately again. Stack the add-ons and the true Splunk SIEM bill is roughly 1.7 to 2.2 times the base ingest list price.

Splunk Virtual Compute (SVC): the numbers Splunk does not publish

Splunk does not publish SVC list prices anywhere on splunk.com. The calculator at splunk.com/en_us/products/pricing/pricing-calculator.html sizes SVCs from your inputs and routes to sales. Customer-reported ranges are the only public triangulation available, and the spread is wide.

Cost per SVC, per year

$55K-$75K

Customer-reported range, multiple consistent sources. Splunk publishes no list. Smaller commits trend higher per SVC; enterprise EAs trend lower.

Minimum SVC commit

~100 SVCs

Typical entry tier for new workload-pricing customers. Below this, ingest-based licensing is the more practical model.

SVC-to-GB conversion (rule of thumb)

Workload profile	SVCs per GB/day ingest	Implied at 100 GB/day
Ingest-heavy, light search	1 SVC per 5-7 GB/day	14-20 SVCs
Balanced workload	1 SVC per 3-5 GB/day	20-34 SVCs
Search-heavy, ES + ITSI	1 SVC per 1.5-3 GB/day	34-67 SVCs

Conversion factors triangulated from partner enablement decks and customer-posted breakdowns over 2023-2025. Splunk's own calculator is authoritative for your specific workload but requires sales engagement.

When workload pricing beats ingest pricing

+ Predictable search load against a stable corpus
+ Heavy use of accelerated data models (Enterprise Security)
+ Long-retention searches that re-scan archived data
- Spiky or unpredictable ingest patterns
- Compliance-only logging with minimal search activity
- Small deployments below the ~100 SVC entry tier

Splunk Cloud vs Splunk Enterprise: cost comparison

Splunk Cloud

+ Pure OpEx, no hardware
+ Splunk operates the indexer cluster
+ Faster onboarding, 2-4 weeks typical
- ~20-30% premium per GB vs Enterprise
- Data residency limited to Splunk regions
- Customisation more constrained

50 GB/day Cloud, 365-day retention

~$135K/yr base, ~$310K total TCO

Splunk Enterprise (self-managed)

+ Lower per-GB licence cost
+ Full control over indexer cluster
+ Wins on unit cost above ~750 GB/day
- Hardware: $200K-$500K capex per refresh
- Splunk admin engineer required (~$160K/yr)
- 3-6 month deployment timeline

50 GB/day Enterprise, 365-day retention

~$95K/yr licence, ~$265K total TCO

Splunk Enterprise: vCPU and reference hardware sizing

Self-managed Splunk Enterprise uses Splunk-published reference hardware specs from help.splunk.com. Sizing drives infrastructure cost and is the single biggest variable behind self-managed TCO.

Role / tier	vCPU	RAM	GB/day per indexer
Indexer, minimum reference	24 vCPU	12 GB	Up to 300 GB/day max
Indexer, mid-range	48 vCPU	64 GB	100 GB/day recommended
Indexer, high-performance	96 vCPU	128 GB	Higher with search headroom
Indexer with Enterprise Security	48-96 vCPU	64+ GB	60 GB/day per indexer
Search head	32 vCPU	12 GB	Sized by concurrent users

Source: Splunk Enterprise Deployment Capacity Manual, current documentation at help.splunk.com.

Sustained storage IOPS must meet or exceed 800 per Splunk's published requirement. Below that, search performance degrades under concurrent load and the indexer bottlenecks on disk rather than CPU.

Splunk compresses ingested data roughly 2-to-1 at rest. Plan storage for half the daily ingest volume, multiplied by retention days, with headroom for hot and warm bucket overlap.

Enterprise Security inflates indexer count significantly at the same ingest volume because of accelerated data model rebuilds. A 300 GB/day raw Splunk environment may run on 2-3 indexers; the same environment with ES typically needs 5 or more.

Real-world Splunk cost scenarios

Scenario	Profile	Licence	Total TCO	Notes
Startup	5 GB/day, Splunk Cloud, 90-day retention	$11K-$18K	$28K-$45K	Add-ons stay disabled at this scale
Mid-market	50 GB/day, Splunk Cloud, 365-day retention	$110K-$175K	$280K-$420K	ES add-on typically required for SOC use
Enterprise	200 GB/day, hybrid, 365-day retention	$400K-$700K	$1.1M-$1.7M	Workload pricing softens per-GB at this volume
Large enterprise	1 TB/day, on-prem, 24-month retention	$1.5M-$2.4M	$3.8M-$5.6M	Multi-year EA with 25-40% list discount typical
MSSP multi-tenant	500 GB/day aggregate, Splunk Cloud	$900K-$1.4M	$1.9M-$2.8M	Per-tenant indexing complicates volume math

TCO includes Splunk Cloud licensing or Enterprise licence plus infrastructure, ES add-on, professional services for initial deployment, and one analyst FTE per 50-75 GB per day. Discounts of 25-40 percent are routine on Enterprise Agreements.

Five proven Splunk cost optimisations

Filter at the edge

Save 30-50%

Drop verbose Windows event noise, debug logs, and DNS chatter at the forwarder. Most environments cut 30 percent or more without losing detection coverage.

Summary indexing

Save 10-20%

Roll up high-volume sources into summary indexes for long-term searches. Detail data lives in cold storage; queries hit the summary.

Workload pricing tiers

Save 15-25%

Splunk's SVC-based workload pricing rewards predictable search loads over spiky ingest. Right-sizing SVCs after baseline data exists is essential.

Archive to cold tier

Save 60-80%

S3 or Glacier archive replaces hot storage for retention beyond 90 days. The compliance clock keeps ticking; the indexing bill does not.

Multi-year EA negotiation

Save 25-40%

Enterprise Agreements above $500K list see 25-40 percent off in routine negotiations. Splunk's quarter-end is the right pressure point.

Splunk vs Sentinel vs QRadar at 50 GB per day

Same environment, three vendors, twelve months. List prices before any negotiated discount.

Splunk Cloud

$135K

Licence only, before ES add-on

Microsoft Sentinel

$74K

$4.10/GB at this commit tier

IBM QRadar (cloud)

$110K

~3,500 EPS equivalent

Sentinel wins on raw licence at this volume. Splunk's premium reflects the analytics depth and ES content library. QRadar sits between, with stronger appeal in regulated industries.

FAQ

Common questions

Is Splunk worth the cost in 2026?

For mature SOCs running advanced detections at scale, Splunk remains the analytics gold standard. The premium over Sentinel or Sumo Logic is typically 50-100 percent on raw licensing, but the search performance and ecosystem of premium apps (Enterprise Security, IT Service Intelligence, premium content packs) often justify it. For mid-market organisations under 50 GB per day, Sentinel or Sumo Logic usually wins on TCO without losing meaningful capability.

How much does Splunk cost per GB in 2026?

Splunk Cloud list prices range roughly $1,800-$3,500 per GB per year depending on commit volume and retention. Enterprise term subscriptions are slightly cheaper on the licence line but add infrastructure and operations costs. Workload-based pricing (SVCs) decouples the per-GB headline somewhat: the meter is search compute, not pure ingest. Expect 25-40 percent discounts on multi-year Enterprise Agreements at $500K-plus list value.

How can I reduce my Splunk bill?

Five proven approaches: filter verbose logs at the forwarder before they hit the indexer, use summary indexes to avoid replaying high-volume detail, archive to S3 or equivalent cold storage after 90 days, right-size SVCs against your real workload, and renegotiate at term renewal. Most environments cut 30-50 percent of Splunk spend within twelve months without losing security coverage. We have a dedicated optimisation walkthrough on the pricing models page.

Splunk Cloud or Splunk Enterprise on-prem?

Splunk Cloud removes infrastructure management and is the default choice up to several hundred GB per day. Splunk Enterprise (self-managed) starts to win on unit cost above roughly 750 GB per day, where amortised hardware beats cloud subscription. Hybrid is rare: most organisations land cleanly on one side or the other based on operations capacity and data residency requirements.

What is Splunk Enterprise Security and how much extra does it cost?

Enterprise Security (ES) is Splunk's premium SIEM content layer: prebuilt detections, risk-based alerting, investigation workflow, and threat intelligence framework. ES typically adds 30-60 percent on top of the base ingest licence depending on volume tier. Most genuine SIEM deployments require ES or equivalent custom content. Without ES, you have a log analytics platform, not a SIEM.

Related cost references

Cribl pricing

Cut Splunk ingest 30-50%

Microsoft Sentinel pricing

Direct Splunk Cloud comparator

IBM QRadar pricing

EPS-based pricing model

Pricing models explained

Per-GB vs per-EPS vs per-user

Hidden SIEM costs

Beyond licensing line items

Cloud vs on-premise SIEM

Splunk Cloud vs Enterprise tradeoff