Splunk® Enterprise

Admin Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Types of Splunk software licenses

Each Splunk software instance requires a license. Splunk licenses specify how much data a given Splunk platform instance can index and what features you have access to. This topic discusses the various license types and options.

There are several types of licenses, including:

  • The Enterprise license enables all Enterprise features, such as authentication and distributed search. As of Splunk Enterprise 6.5.0, new Enterprise licenses are no-enforcement licenses.
  • The Free license allows for a limited indexing volume, and disables some features, including authentication. The Free license is perpetual.
  • The Forwarder license allows you to forward, but not index, data, and it enables authentication.
  • The Beta license typically enables Enterprise features, but is restricted to Splunk Beta releases.
  • A license for a premium app is used in conjunction with an Enterprise or Cloud license to access the functionality of an app.

Also discussed in this topic are licensing considerations for a deployment including distributed search or indexer clustering.

For information about upgrading a pre-4.2 license, see Migrate to the new Splunk Enterprise licenser in the Installation Manual.

Splunk Enterprise licenses

A Splunk Enterprise license is a standard Splunk software license. It allows you to use all Splunk Enterprise features, including authentication, distributed search, deployment management, scheduling of alerts, and role-based access controls. Enterprise licenses are available for purchase and can be any indexing volume. Contact Splunk Sales for more information.

The following are additional types of Enterprise licenses, which include all the same features:

No-enforcement license

If your license master is running Splunk Enterprise 6.5.0 or later, you can use a no-enforcement Enterprise license. This new license type allows users to keep searching even if you acquire five warnings in a 30 day window. Your license master still considers itself in violation, but search is not blocked.

A no-enforcement license stacks with other Enterprise licenses. Stacking a no-enforcement license on top of another valid Enterprise license changes the behavior of the entire stack to the no-enforcement behavior.

Enterprise trial license

When you download Splunk software for the first time, you are asked to register. Your registration authorizes you to receive an Enterprise trial license, which allows a maximum indexing volume of 500 MB/day. The Enterprise trial license expires 60 days after you start using Splunk software. If you are using an Enterprise trial license and your license expires, Splunk requires you to switch to a Splunk Free license.

Once you have installed Splunk software, you can choose to run it with the Enterprise trial license until the license expires, purchase an Enterprise license, or switch to the Free license, which is included.

Note: The Enterprise trial license is also sometimes referred to as "download-trial."

Sales trial license

If you work with Splunk Sales, you can request trial Enterprise licenses of varying size and duration. The Enterprise trial license expires 60 days after you start using Splunk software. If you are preparing a pilot for a large deployment and have requirements for a longer duration or higher indexing volumes during your trial, contact Splunk Sales or your sales representative directly with your request.

Dev/Test licenses

With certain license programs you might have access to Dev/Test licenses to operate Splunk software in a non-production environment. If you are using a Dev/Test license, you will see a Dev/Test stamp on the left side of the navigation bar in Splunk Web. The Dev/Test personalized license can be used only for a single instance Splunk Enterprise deployment on version 6.5.0 or later.

Caution: A Dev/Test license does not stack with an Enterprise license. If you install a Dev/Test license with an Enterprise license, the Enterprise license file will be replaced.

Free license

The Free license includes 500 MB/day of indexing volume, is free (as in beer), and has no expiration date.

The following features that are available with the Enterprise license are disabled in Splunk Free:

  • Multiple user accounts and role-based access controls
  • Distributed search
  • Forwarding in TCP/HTTP formats (you can forward data to other Splunk software instances, but not to non-Splunk software instances)
  • Deployment management (including for clients)
  • Alerting/monitoring
  • Authentication and user management, including native authentication, LDAP, and scripted authentication.
    • There is no login. The command line or browser can access and control all aspects of Splunk software with no user/password prompt.
    • You cannot add more roles or create user accounts.
    • Searches are run against all public indexes, 'index=*' and restrictions on search such as user quotas, maximum per-search time ranges, search filters are not supported.
    • The capability system is disabled, all capabilities are enabled for all users accessing Splunk software.

See More about Splunk Free.

Compare license features

Consult this table for a comparison of major license types.

Behavior or functionality Enterprise pre-6.5.0 No-
enforcement Enterprise
Personalized Dev/Test Enterprise Trial Free
Blocks search while in violation yes no varies yes yes
Logs internally and displays message in Splunk Web when in warning or violation yes yes yes yes yes
Stacks with other licenses yes yes no yes no
Full Enterprise feature set yes yes no yes no

Forwarder license

This license allows forwarding (but not indexing) of unlimited data, and also enables security on the instance so that users must supply username and password to access it. (The free license can also be used to forward an unlimited amount of data, but has no security.)

Forwarder licenses are included with Splunk; you do not have to purchase them separately.

Splunk offers several forwarder options:

  • The universal forwarder has the license enabled/applied automatically; no additional steps are required post-installation.
  • The light forwarder uses the same license, but you must manually enable it by changing to the Forwarder license group.
  • The heavy forwarder must also be manually converted to the Forwarder license group. If any indexing is to be performed, the instance should instead be given access to an Enterprise license stack. Read Groups, stacks, pools, and other terminology for more information about Splunk license terms.

Beta license

Splunk's Beta releases require a different license that is not compatible with other Splunk releases. Also, if you are evaluating a Beta release of Splunk, it will not run with a Free or Enterprise license. Beta licenses typically enable Enterprise features, they are just restricted to Beta releases. If you are evaluating a Beta version of Splunk, it will come with its own license.

Licenses for search heads (for distributed search)

A search head is a Splunk instance that distributes searches to other Splunk indexers. Although search heads don't usually index any data locally, you will still want to use a license to restrict access to them.

There is no special type of license specifically for search heads, that is to say, there is no "Search head license". However, you must have an Enterprise license to configure a search head. Splunk recommends that you add the search heads to an Enterprise license pool even if they are not expected to index any data. Read Groups, stacks, pools, and other terminology and Create or edit a license pool.

Note: If your existing search head has a pre-4.2 forwarder license installed, the forwarder license will not be read after you upgrade.

Licenses for search head cluster members

A search head cluster is a group of search heads that coordinate their activities. Each search head in a search head cluster is known as a member.

Each search head cluster member has the same licensing requirements as a standalone search head. See System requirements and other deployment considerations for search head clusters in Distributed Search.

Licenses for indexer cluster nodes (for index replication)

As with any Splunk deployment, your licensing requirements are driven by the volume of data your indexers process. Contact your Splunk sales representative to purchase additional license volume.

There are just a few license issues that are specific to index replication:

  • All cluster nodes, including masters, peers, and search heads, need to be in an Enterprise license pool, even if they're not expected to index any data.
  • Cluster nodes must share the same licensing configuration.
  • Only incoming data counts against the license; replicated data does not.
  • You cannot use index replication with a Free license.

Read more about System requirements and other deployment considerations in Managing Indexers and Clusters of Indexers.

PREVIOUS
How Splunk Enterprise licensing works
  NEXT
Groups, stacks, pools, and other terminology

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters