How Splunk licensing works
Contents
How Splunk licensing works
Splunk takes in data from sources you designate and processes it so that you can analyze it in Splunk. We call this process "indexing". For information about the exact indexing process, refer to "What Splunk does with your data" in the Getting Data In Manual.
Splunk licenses specify how much data you can index per calendar day (from midnight to midnight by the clock on the license master).
Any host in your Splunk infrastructure that performs indexing must be licensed to do so. You can either run a standalone indexer with a license installed locally, or you can configure one of your Splunk instances as a license master and set up a license pool from which other indexers, configured as license slaves, can draw.
In addition to indexing volume, access to some Splunk Enterprise features requires an Enterprise license. For more information about different types of licenses, read "Types of Splunk licenses" in this manual.
About the connection between the license master and license slaves
When a license master instance is configured, and license slaves are added to it, the license slaves communicate their usage to the license master every minute. If the license master is unreachable for any reason, the license slave starts a 24-hour timer. If the license slave cannot reach the license master for 24 hours, search is blocked on the license slave (although indexing continues). Users will not be able to search data in the indexes on the license slave until that slave can reach the license master again.
Splunk license lifecycle(s)
When you first install a downloaded copy of Splunk, that instance of Splunk is using a 60-day Trial Enterprise license. This license allows you to try out all of the Enterprise features in Splunk for 60 days, and to index up to 500MB of data per day.
Once the 60 day trial expires (and if you have not purchased and installed an Enterprise license), you are given the option to switch to Splunk Free. Splunk Free includes a subset of the features of Splunk Enterprise and is intended for use in standalone deployments and for short-term forensic investigations. It allows you to index up to 500MB of data a day indefinitely.
Important: Splunk Free does not include authentication or scheduled searches/alerting. This means that any user accessing your Splunk installation (via Splunk Web or the CLI) will not have to provide credentials. Additionally, scheduled saved searches/alerts will no longer fire.
If you want to continue using Splunk's Enterprise features after the 60 day Trial expires, you must purchase an Enterprise license. Contact a Splunk sales rep to learn more.
Once you've purchased and downloaded an Enterprise license, you can install it on your Splunk instance and access Splunk Enterprise features. Check out "Types of Splunk licenses" in this manual for information about Enterprise features.
This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.
What time does it counts as start point for 24 hours a day? Is it from 12am to 12am or the time you installed license? Thank you!