How Splunk Enterprise licensing works
Licenses specify how much external data you can index per calendar day (from midnight to midnight by the clock on the license master).
Any Splunk Enterprise instance that indexes external data needs a license. If you have a standalone indexer, you can install the license locally. If, instead, you have a distributed deployment of multiple Splunk Enterprise instances, you must configure one of the instances as a license master. You then set up a license pool from which the other instances, configured as license slaves, can draw.
Acess to some Splunk Enterprise features requires an Enterprise license. See Types of Splunk licenses.
How data is metered
For event data, data volume is based on the amount of raw external data that the indexer ingests into its indexing pipeline, after any filtering. It is not based on the amount of compressed data that gets written to disk.
For metrics data, each metric event counts as a fixed 150 bytes. Metrics data does not have a separate license. Ingested metrics data draws from the same license quota as event data.
About the connection between the license master and license slaves
When a license master instance is configured, and license slaves are added to it, the license slaves communicate their usage to the license master every minute. If the license master is unreachable for any reason, the license slave starts a 72 hour timer. If the license slave cannot reach the license master for 72 hours, search is blocked on the license slave (although indexing continues). Users cannot search data in the indexes on the license slave until that slave can reach the license master again.
The Splunk Enterprise trial license
When you first install a downloaded copy of Splunk Enterprise, the installed instance uses a 60 day trial license. This license allows you to try out all of the features in Splunk Enterprise for 60 days, and to index up to 500 MB of data per day.
Once the 60 day trial expires, if you have not purchased and installed an Enterprise license, you are given the option to switch to Splunk Free. Splunk Free includes a a subset of the features of Splunk Enterprise and is intended for use in standalone deployments and for short-term forensic investigations. It allows you to index up to 500 MB of data a day indefinitely.
For details on Splunk Free, including the features that it provides, see About Splunk Free
Splunk Free does not include authentication. This means that any user can access your installation through Splunk Web or the CLI without providing credentials.
Additionally, Splunk Free does not include scheduled saved searches or alerts, so any saved searches or alerts that you have previously configured will no longer run once you switch to Splunk Free.
If you want to continue using Splunk Enterprise features after the 60 day trial expires, you must purchase an Enterprise license. Contact a Splunk sales rep to learn more. See Types of Splunk licenses for information on Enterprise licenses.
About update checker data
Types of Splunk software licenses
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.1.0