Admin Manual

 


More about Splunk Free

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

More about Splunk Free

Splunk Free is a totally free (as in beer) version of Splunk. It allows you to index up to 500 MB/day and will never expire. This 500 MB limit refers to the amount of new data you can add (we call this indexing) per day, but you can keep adding more and more data every day, storing as much as you want. For example, you could add 500 MB of data per day and eventually have 10 TB of data in Splunk. If you need more than 500 MB/day, you'll need to purchase a license.

Splunk regulates your license usage by tracking license violations. If you go over 500 MB/day more than 3 times in a 30 day period, Splunk will continue to index your data, but search will be disabled until you are back down to 3 or fewer warnings in the 30 day period.

What's it for?

Splunk Free is designed for personal, ad-hoc search and visualization of IT data. You can use Splunk Free for ongoing indexing of small volumes (<500 MB/day) of data. Additionally, you can use it for short-term bulk-loading and analysis of larger data sets--Splunk Free allows you to bulk-load much larger data sets up to 3 times within a 30 day period. This can be useful for forensic review of large data sets.

What is included

Splunk Free is a single-user product. All of Splunk's features are supported with the exception of:

  • Multiple user accounts and role-based access controls (there's no authentication when using Splunk Free)
  • Distributed search
  • Forwarding in TCP/HTTP formats (you can forward data to other Splunk instances, but not to non-Splunk instances)
  • Deployment management
  • Alerting/monitoring

A Free instance can be used as a forwarder (to a Splunk indexer) but may not be a client of a deployment server.

What does no authentication and access controls mean?

  • There is no login. The command line or browser can access and control all aspects of Splunk with no user/password prompt.
  • All accesses are treated as equivalent to the admin user, there is only one role (admin), and they are not configurable. You cannot add more roles or create user accounts.
  • Searches are run against all public indexes, 'index=*'.
  • Restrictions on search such as user quotas, maximum per-search time ranges, search filters are not supported.
  • The capability system is disabled, all capabilities are enabled for all users accessing Splunk.

Switching to Free from an Enterprise Trial license

When you first download and install Splunk, you are automatically using an Enterprise Trial license. You can continue to use the Enterprise Trial license until it expires, or switch to the Free license right away, depending on your requirements.

What you should know about switching to Free

Splunk Enterprise Trial gives you access to a number of features that are not available in Splunk Free. When you switch, be aware of the following:

  • User accounts or roles that you've created will no longer work.
  • Anyone connecting to the instance will automatically be logged on as 'admin'. You will no longer see a login screen, though you will see the update check occur.
  • Any knowledge objects created by any user other than 'admin' (such as event type, transaction, or source type definitions) and not already globally shared will not be available. If you need these knowledge objects to continue to be available after you switch to Splunk Free, you can do one of the following:
    • Use Manager to promote them to be globally available before you switch using the information in this topic.
    • Hand edit the configuration files they are in to promote them as described here.
  • Any alerts you have defined will no longer fire/function, although you can still schedule searches to run for dashboards and summary indexing purposes.
    • You will no longer receive alerts from Splunk.
  • Configurations in outputs.conf to forward to third-party applications in TCP or HTTP formats will stop working.

When you attempt to make any of the above configurations in Manager while using an Enterprise Trial license, you will be warned about the above limitations in a Free Splunk.

How do I switch to Splunk Free?

If you currently have Splunk Enterprise (trial or not), you can either wait for your Enterprise license to expire, or switch to a Free license at any time. To switch to a Free License:

1. Log in to Splunk Web as a user with admin privileges and navigate to Manager > Licensing.

2. Click Change license group at the top of the page.

License change group.png

3. Select Free license and click Save.

4. You are prompted to restart.

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 View the Article History for its revisions.


Comments

The issue is that you have a license violation. Switching to Free is not going to clear this violation, you must either wait for the 30-day rolling window to expire your violation, or clean your event data. Switching to Free probably makes this situation worse, since you only are allowed 3 warnings in 30 days vs 5 for Enterprise before search is restricted. refer to http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations for information.

If you have an Enterprise Support contract, you can contact Support and ask for a license reset.

Rachel, Splunker
October 17, 2012

I also have that problem Bootz15, were you able to find a solution?

Willbuck
September 24, 2012

I came looking for information on how to clear "license violations" from a trial version, such a "This pool contains 1 slave/s in violation". I can't search my data, and I'm frustrated as I've tried switching to a Free license to no avail.

Bootz15
July 17, 2012

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!