About Splunk licenses

About Splunk licenses

Each instance of Splunk must have its own license. This topic discusses the different Splunk licenses, how to install or update a license, and what to do when you have a violation on your license.

Note: When running Splunk Enterprise, you must purchase a separate license for every instance of Splunk that you deploy.

Enterprise vs. Free license

Splunk provides two standard types of licenses, an Enterprise license, and a Free license.

When you download Splunk for the first time, you are asked to register. Your registration authorizes you to receive an Enterprise trial license, which allows a maximum indexing volume of 500 MB/day. The Enterprise trial license expires 60 days from download. If you are running with a Enterprise trial license and your license expires, Splunk continues to index your data. However, you will not be able to search until you install a new license.

Once you have installed Splunk, you can choose to run Splunk with the Enterprise trial license until it expires, purchase an Enterprise license, or switch to the Free license, which is included.

The Free license is not a trial license and does not have an expiration date. It also allows 500MB/day of indexing volume, but the following features that are available with the Enterprise license are disabled:

• Multiple user accounts and role-based access controls
• Distributed search
• Forwarding in TCP/HTTP formats (you can forward data to other Splunk instances, but not to non-Splunk instances)
• Deployment management (including for clients)
• Scheduled saved searches (including summary indexing) and alerting/monitoring

Learn more about Splunk with a Free license

Find more information about the different license features here. Also, read Splunk's Free license agreement.

Forwarding license

A license isn't required to enable forwarding, but enables security on the forwarder so that users must supply username and password to access it. Splunk includes a forwarder license that you can install on each Splunk forwarder. This 1 MB/day forward-only license is not subtracted from your existing license(s) and can be applied to multiple forwarders.

Each instance of Splunk that does any indexing must have its own license.

1. Stop Splunk: ./splunk stop

2. Copy $SPLUNK_HOME/etc/splunk-forwarder.license to $SPLUNK_HOME/etc/splunk.license

3. Start Splunk: ./splunk start

This license does not limit how much data you can forward from that machine.

Search head license

A search head does not normally index any data, but you don't want unrestricted access on there either. Apply a forwarder license to enable authentication on your search head instance.

Summary index searches count towards your indexed data volume. If you run these searches on your search head, it will violate the forwarder license and search functionality will be disabled. To avoid this, configure your summary index searches on your indexing instances instead.

Custom trial Enterprise license

You can request trial Enterprise licenses of varying size and duration. The default evaluation period is 60 days. If you are preparing a pilot for a large deployment and have requirements for a longer duration or higher indexing volumes during your trial, contact Splunk Sales with your request.

Preview license

Splunk's Preview releases require a different license that is not compatible with other Splunk releases. Also, if you are evaluating a Preview release of Splunk, it will not run with a Free or Enterprise license. Preview licenses typically enable Enterprise features, they are just restricted to Preview releases. If you are evaluating a Preview version of Splunk, it will come with its own license.

View your license and usage details

You can view details about your license from Splunk Web or the command line interface (CLI). The details about your license include general information, such as the type of license, the indexing level, and the expiration date of the license.

View license information in Splunk Web

To view your license details in Splunk Web, go to Manager > License. Under "License & Usage". In addition to the general information about your license, the details include: the count of days until your license expires, the peak indexed amount (in MB), and the count of violations against your license.

Note: You can also install and update your license from this page.

You can also use search to learn information about indexing volumes. For a report on the daily indexed volume, use this search:

Show license information in the CLI

If you have access to the CLI, you can view details about your license with:

./splunk show license

The CLI displays the same general details, but also includes information about the state of your license, such as the maximum number of violations (Max Violations) permitted by the license within the grace period moving window (Violation Period). Splunk also displays an "Expiration State", which tells you when you license is either "7" days or "1" day from expiring; otherwise, it is "ok".

Install or update your license

All Splunk servers have a license located in $SPLUNK_HOME/etc/, whether it is a Free license (splunk-free.license) or an Enterprise license (splunk.license). You can install and update your licenses with the CLI or from Splunk Web's Manager > License page.

Refer to the Admin Manual for instructions to install or update your Splunk license.

Migrating to 4.0

If you migrated a 3.x Splunk instance directly to 4.0, remove the $SPLUNK_HOME/etc/splunk.license file before you run Splunk. The instance will then pick up the 60-day Enterprise trial license that is included with 4.0.

If you have a current Enterprise license/support contract for 3.x, an updated license is waiting for you. Log into splunk.com and go to http://www.splunk.com/store/myorders to pick it up. Replace your existing $SPLUNK_HOME/etc/splunk.license file with the new file, or use the instructions for updating your Splunk license.

Licenses for distributed deployments

If you have Splunk running on multiple hosts in a distributed environment, you must have a separate unique license key for each host. If you have been using a single license key for all your hosts, this will not work in versions 4.0 and later (except with an Enterprise Trial license, starting with version 4.0.3). Contact Splunk Support to have your license broken up into multiple keys for this purpose, or email Splunk Sales to purchase additional keys.

License violations

Violations occur when you exceed the maximum indexing volume allowed for your license. If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have 5 or more violations on an Enterprise license or 3 violations on a Free license in a rolling 30-day period, search will be disabled. Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) violations in the previous 30 days or when you apply a new license with a larger volume limit.

Note: During a license violation period, Splunk does not stop indexing your data. Splunk only blocks access while you exceed your license.

Note: Searches to the _internal index are not disabled even during a licensing-enforcement period, so you can still access the Indexing Status dashboard, or run searches against _internal to diagnose the licensing problem.

Got License Violations? Click here to troubleshoot.

• Was this topic useful?
• Post a comment