Documentation > Splunk > Admin Manual > Types of Splunk licenses

Admin Manual

 


Welcome to Splunk administration
What to do first
Use Splunk Web
Getting started for Windows admins
Manage Splunk licenses
Meet Splunk apps
Configure Splunk
Indexing with Splunk
Manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

Types of Splunk licenses

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Types of Splunk licenses

This topic discusses the various Splunk license types and options. Splunk licenses specify how much data a given Splunk instance can index and enable or disable enterprise features such as authentication and distributed search configurations.

Enterprise license

Splunk Enterprise is the standard Splunk license. It allows you to use all Splunk's enterprise features, including authentication, distributed search, deployment management, scheduling of alerts, and role-based access controls. Enterprise licenses are available for purchase and can be any indexing volume. Contact Splunk Sales for more information.

The following are additional types of Enterprise licenses, which include all the same features:

Enterprise trial license

When you download Splunk for the first time, you are asked to register. Your registration authorizes you to receive an Enterprise trial license, which allows a maximum indexing volume of 500 MB/day. The Enterprise trial license expires 60 days from download. If you are running with a Enterprise trial license and your license expires, Splunk requires you to switch to a Splunk Free license.

Once you have installed Splunk, you can choose to run Splunk with the Enterprise trial license until it expires, purchase an Enterprise license, or switch to the Free license, which is included.

Note: The Enterprise trial license is also sometimes referred to as "download-trial"

Sales trial license

If you are working with Splunk Sales, you can request trial Enterprise licenses of varying size and duration. The default evaluation period is 60 days. If you are preparing a pilot for a large deployment and have requirements for a longer duration or higher indexing volumes during your trial, contact Splunk Sales or your sales rep directly with your request.

Free license

The Free license includes 500MB/day of indexing volume, is free (as in beer), and has no expiration date.

The following features that are available with the Enterprise license are disabled in Splunk Free:

  • Multiple user accounts and role-based access controls
  • Distributed search
  • Forwarding in TCP/HTTP formats (you can forward data to other Splunk instances, but not to non-Splunk instances)
  • Deployment management (including for clients)
  • Alerting/monitoring

Learn more about the free version of Splunk later in this manual.

Forwarder license

This license allows forwarding (but not indexing) of unlimited data, and also enables security on the instance so that users must supply username and password to access it. (The free license can also be used to forward an unlimited amount of data, but has no security).

Forwarder licenses are included with Splunk; you do not have to purchase them separately.

Splunk offers several forwarder options:

  • The universal forwarder has the license enabled/applied automatically; no additional steps are required post-installation.
  • The light forwarder uses the same license, but you must manually enable it by changing to the Forwarder license group.
  • The heavy forwarder must also be manually converted to the Forwarder license group. If any indexing is to be performed, the instance should instead be given access to an Enterprise license stack. Read "Groups, stacks, pools, and other terminology" in this manual for more information about Splunk license terms.

Licenses for search heads (for distributed search)

A search head is a Splunk instance that distributes searches to other Splunk indexers. Search heads don't usually index any data locally, but you will still want to use a license to restrict access to them.

Note: In versions prior to 4.2, Splunk suggested using a forwarder license on your search heads, but now recommends that you add search heads to an Enterprise license pool even if they are not expected to index any data. If your existing search head has a pre-4.2 forwarder license installed, the forwarder license will not be read after you upgrade.

There is no special type of license specifically for search heads. This simply discusses how to arrange for licensing for search heads.

Beta license

Splunk's Beta releases require a different license that is not compatible with other Splunk releases. Also, if you are evaluating a Beta release of Splunk, it will not run with a Free or Enterprise license. Beta licenses typically enable Enterprise features, they are just restricted to Beta releases. If you are evaluating a Beta version of Splunk, it will come with its own license.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.2.2/Admin/TypesofSplunklicenses"

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!