Documentation > Splunk > Installation Manual > About Splunk licenses

Installation Manual

 


Welcome to the Splunk Installation Manual
Step by step installation procedures
Start Splunk for the first time
Migrate from 3.4.x or earlier
Upgrade from 4.0 or later
Other tasks
What comes next?
Reference
Upgrade Instructions

About Splunk licenses

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

About Splunk licenses

Each instance of Splunk server must have its own license. This topic discusses the different Splunk licenses, how to install or update a license, and what to do when you have a violation on your license.

Note: You must purchase a separate license for every instance of Splunk that you deploy.

Which license?

Splunk provides two standard types of licenses, a Free license and an Enterprise license. To evaluate Enterprise features, you can request a trial Enterprise license before purchasing.

Note: If you evaluate a Splunk Preview release, it will include the required license.

Free versus Enterprise

Note: Splunk 4.0 comes with a temporary (60 day) Enterprise trial license. The Free license will be available in an upcoming release.

When you download Splunk for the first time, you are asked to register. Your registration authorizes you to receive the Free license, which allows a maximum indexing volume of 500 MB/day. The Free license is not a trial license and does not have an expiration date. The Enterprise license enables higher data indexing volume and the following additional features:

To evaluate these features before you purchase an Enterprise license, you can request a 30-day trial Enterprise license.

Find more information about the different license features here. Also, read Splunk's Free license agreement.

Large Trial Enterprise license

You can request trial Enterprise licenses of varying size and duration. The default evaluation period is 30 days. If you are running with a trial license and your license expires, Splunk continues to index your data. However, you will not be able to search until you install a new license.

Note: Splunk 4.0 comes with a temporary (60 day) Enterprise trial license. The Free license will be available in an upcoming release, at which time the Enterprise trial license will be by request only.

How to renew your 500MB Trial Enterprise license

We have been regularly updating our download package with new a license until the free version is complete. You can download any of the tarballs (.tgz's), untar it and then grab the $SPLUNK_HOME/etc/splunk-enttrial.license file, you now have a new trial license.

Just rename it to splunk.license, drop it into your existing $SPLUNK_HOME/etc directory, restart Splunk and your instance will have an updated trial license.


Preview license

Splunk's Preview releases require a different license that is not compatible with other Splunk releases. Also, if you are evaluating a Preview release of Splunk, it will not run with a Free or Enterprise license. Preview licenses typically enable Enterprise features, they are just restricted to Preview releases.

Forwarding license

Each instance of Splunk server must have its own license. Splunk includes a forwarder license that you must install on each Splunk forwarder. This 1 MB/day forward-only license is not subtracted from your existing license(s) and can be applied to multiple forwarders.

It is not necessary to apply this license to enable forwarding. The main advantage of this license is that it enables security on a forwarding license, requiring a User to login to access it.

1. Stop Splunk: ./splunk stop

2. Copy $SPLUNK_HOME/etc/splunk-forwarder.license to $SPLUNK_HOME/etc/splunk.license

3. Start Splunk: ./splunk start

This license does not limit how much data you can forward from that machine.

View your license and usage details

You can view details about your license from Splunk Web or the command line interface (CLI). The details about your license include general information, such as the type of license, the indexing level, and the expiration date of the license.

View license information in Splunk Web

To view your license details in Splunk Web, go to Manager >> License. Under "License & Usage". Additional to the general information about your license, the details include: the count of days until your license expires, the peak indexed amount (in MB), and the count of violations against your license.

Note: You can also install and update your license from this page.

Also, you can search for information about your servers's indexing volumes; for a report on the daily indexed volume, use this search:

index=_internal todaysBytesIndexed LicenseManager-Audit NOT source=*web_service.log | eval Daily_Indexing_Volume_in_MBs = todaysBytesIndexed/1024/1024 | timechart avg(Daily_Indexing_Volume_in_MBs) by host

Show license information in the CLI

If you have access to the CLI, you can view details about your license with: 

./splunk help show license

The CLI displays the same general details, but also includes information about the state of your license, such as the maximum number of violations (Max Violations) permitted by the license within the grace period moving window (Violation Period). Splunk also displays an "Expiration State", which tells you when you license is either "7" days or "1" day from expiring; otherwise, it is "ok".

Install or update your license

All Splunk servers have a license located in $SPLUNK_HOME/etc/, whether it is a Free license (splunk-free.license) or an Enterprise license (splunk.license). You can install and update your licenses with the CLI or from Splunk Web's Manager >> License page.

Refer to the Admin Manual for instructions to install or update your Splunk license.

Migrating to 4.0

If you migrated a 3.x Splunk instance directly to 4.0, remove the $SPLUNK_HOME/etc/splunk.license file before you run Splunk. The instance will then pick up the 60-day Enterprise trial license that is included with 4.0.

If you have a current Enterprise license/support contract for 3.x, an updated license is waiting for you. Log into splunk.com and go to http://www.splunk.com/store/myorders to pick it up. Replace your existing $SPLUNK_HOME/etc/splunk.license file with the new file, or use the instructions for updating your Splunk license.

Licenses for distributed deployments

If you have Splunk running on multiple hosts in a distributed environment, you must have a separate unique license key for each host. If you have been using a single license key for all your hosts, this will not work in versions 4.0 and later (except with an Enterprise Trial license, starting with version 4.0.3). Contact Splunk Support to have your license broken up into multiple keys for this purpose, or email Splunk Sales to purchase additional keys.

License violations

Violations occur when you exceed the maximum indexing volume allowed for your license. If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have more than 5 violations in a rolling 30-day period, search will be disabled. Search capabilities return when you have fewer than 5 violations in the previous 30 days or when you apply a new license with a larger volume limit.

Note: During a license violation period, Splunk does not stop indexing your data. Splunk only blocks access while you exceed your license.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.1/Installation/AboutSplunklicenses"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!