Types of Splunk software licenses
Each Splunk software instance requires a license. Splunk licenses specify how much data a given Splunk platform instance can index and what features you have access to. This topic discusses the various license types and options.
There are several types of licenses, including:
- The Enterprise license enables all Enterprise features, such as authentication and distributed search. As of Splunk Enterprise 6.5.0, new Enterprise licenses are no-enforcement licenses.
- The Free license allows for a limited indexing volume, and disables some features, including authentication. The Free license is perpetual.
- The Forwarder license allows you to forward, but not index, data, and it enables authentication.
- The Beta license typically enables Enterprise features, but is restricted to Splunk Beta releases.
- A license for a premium app is used in conjunction with an Enterprise or Cloud license to access the functionality of an app.
Also discussed in this topic are licensing considerations for a deployment including distributed search or indexer clustering.
Splunk Enterprise licenses
There are several types of Splunk Enterprise licenses. They all include access to the same set of Splunk Enterprise features, including authentication, distributed search, deployment management, scheduling of alerts, and role-based access controls.
Standard Splunk Enterprise license
The standard Splunk Enterprise license is available for purchase and can be configured for any indexing volume. Contact Splunk Sales for information.
If your license master is running Splunk Enterprise 6.5.0 or later, you can use a no-enforcement Enterprise license. This new license type allows users to keep searching even if you acquire five warnings in a 30 day window. Your license master still considers itself in violation, but search is not blocked.
A no-enforcement license stacks with other Enterprise licenses. Stacking a no-enforcement license on top of another valid Enterprise license changes the behavior of the entire stack to the no-enforcement behavior.
Enterprise trial license
When you download Splunk software for the first time, you are asked to register. Your registration authorizes you to receive an Enterprise Trial license, which allows a maximum indexing volume of 500 MB/day. The Enterprise Trial license expires 60 days after you start using Splunk software. If you are using an Enterprise Trial license and your license expires, Splunk requires you to switch to a Splunk Free license.
Once you have installed Splunk software, you can choose to run it with the Enterprise Trial license until the license expires, purchase an Enterprise license, or switch to the Free license, which is included.
The Trial license is designed for standalone use. You cannot use it with a distributed Splunk Enterprise deployment..
The Enterprise trial license is also sometimes referred to as "download-trial."
Sales trial license
If you work with Splunk Sales, you can request trial Enterprise licenses of varying size and duration. The Enterprise trial license expires 60 days after you start using Splunk software. If you are preparing a pilot for a large deployment and have requirements for a longer duration or higher indexing volumes during your trial, contact Splunk Sales or your sales representative directly with your request.
With certain license programs, you might have access to Dev/Test licenses to operate Splunk software in a non-production environment. If you are using a Dev/Test license, you will see a Dev/Test stamp on the left side of the navigation bar in Splunk Web. The Dev/Test personalized license can be used only for a single instance Splunk Enterprise deployment on version 6.5.0 or later.
A Dev/Test license does not stack with an Enterprise license. If you install a Dev/Test license over an Enterprise license, the Enterprise license file will be replaced.
The Free license includes 500 MB/day of indexing volume, is free of charge, and has no expiration date.
The following features that are available with the Enterprise license are disabled in Splunk Free:
- Multiple user accounts and role-based access controls
- Distributed search
- Forwarding in TCP/HTTP formats (you can forward data to other Splunk software instances, but not to non-Splunk software instances)
- Deployment management (including for clients)
- Authentication and user management, including native authentication, LDAP, and scripted authentication.
- There is no login. The command line or browser can access and control all aspects of Splunk software with no user/password prompt.
- You cannot add more roles or create user accounts.
- Searches are run against all public indexes, 'index=*' and restrictions on search such as user quotas, maximum per-search time ranges, search filters are not supported.
- The capability system is disabled, all capabilities are enabled for all users accessing Splunk software.
Compare license features
Consult this table for a comparison of major license types.
|Behavior or functionality||Enterprise pre-6.5.0||No-
|Personalized Dev/Test||Enterprise Trial||Free|
|Blocks search while in violation||yes||no||varies||yes||yes|
|Logs internally and displays message in Splunk Web when in warning or violation||yes||yes||yes||yes||yes|
|Stacks with other licenses||yes||yes||no||yes||no|
|Full Enterprise feature set||yes||yes||no||yes||no|
This license allows forwarding (but not indexing) of unlimited data, and also enables security on the instance so that users must supply username and password to access it. (The free license can also be used to forward an unlimited amount of data, but has no security.)
Forwarder licenses are included with Splunk; you do not have to purchase them separately.
Splunk offers several forwarder options:
- The universal forwarder has the license enabled/applied automatically; no additional steps are required post-installation.
- The light forwarder uses the same license, but you must manually enable it by changing to the Forwarder license group.
- The heavy forwarder must also be manually converted to the Forwarder license group. If any indexing is to be performed, the instance should instead be given access to an Enterprise license stack. Read Groups, stacks, pools, and other terminology for more information about Splunk license terms.
Splunk's Beta releases require a different license that is not compatible with other Splunk releases. Also, if you are evaluating a Beta release of Splunk, it will not run with a Free or Enterprise license. Beta licenses typically enable Enterprise features, they are just restricted to Beta releases. If you are evaluating a Beta version of Splunk, it will come with its own license.
Licenses for search heads
In a distributed search deployment that follows the recommended guidelines, the search heads do not ingest external data. Rather, they rely on the indexers to perform that task. Therefore, well-configured search heads do not consume licensing volume.
Even if search heads do not consume licensing volume, they still need access to an Enterprise license. They usually obtain such access by participating in a license pool.
The Enterprise license unlocks access to important Enterprise features, such as distributed search. A Splunk Enterprise instance designated as a dedicated search head therefore requires access to an Enterprise license in order to function as a search head.
For information on other features that require an Enterprise license, see More about Splunk Free.
Licenses for search head cluster members
A search head cluster is a group of search heads that coordinate their activities. Each search head in a search head cluster is known as a member.
Each search head cluster member has the same licensing requirements as a standard search head.
Licenses for indexer cluster nodes
An indexer cluster is a group of indexers that replicate data to promote high availability and disaster recovery. Besides indexers, known as "peer nodes", indexer clusters include other node types; specifically, a master node and search head nodes. All indexer cluster nodes are Splunk Enterprise instances.
Indexer cluster nodes use a Splunk Enterprise license. There are a few license issues that are specific to indexer clusters:
- All cluster nodes, including masters, peers, and search heads, need to be in an Enterprise license pool, even if they are not expected to index any data.
- Cluster nodes must share the same licensing configuration.
- Only incoming data counts against the license; replicated data does not.
- You cannot use index replication with a Free license.
How Splunk Enterprise licensing works
Groups, stacks, pools, and other terminology
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.1.0