Types of Splunk software licenses
Each Splunk software instance requires a license. Splunk licenses specify how much data a given Splunk platform instance can index and what features you have access to. This topic discusses the various license types and options.
There are several types of licenses, including:
- The Enterprise license enables all Enterprise features, such as authentication and distributed search. As of Splunk Enterprise 6.5.0, new Enterprise licenses are no-enforcement licenses.
- The Free license allows for a limited indexing volume, and disables some features, including authentication. The Free license is perpetual.
- The Forwarder license allows you to forward, but not index, data, and it enables authentication.
- The Beta license typically enables Enterprise features, but is restricted to Splunk Beta releases.
- A license for a premium app is used in conjunction with an Enterprise or Cloud license to access the functionality of an app.
Also discussed in this topic are licensing considerations for a deployment including distributed search or indexer clustering.
Splunk Enterprise licenses
A Splunk Enterprise license is a standard Splunk software license. It allows you to use all Splunk Enterprise features, including authentication, distributed search, deployment management, scheduling of alerts, and role-based access controls. Enterprise licenses are available for purchase and can be any indexing volume. Contact Splunk Sales for more information.
The following are additional types of Enterprise licenses, which include all the same features:
If your license master is running Splunk Enterprise 6.5.0 or later, you can use a no-enforcement Enterprise license. This new license type allows users to keep searching even if you acquire five warnings in a 30 day window. Your license master still considers itself in violation, but search is not blocked.
A no-enforcement license stacks with other Enterprise licenses. Stacking a no-enforcement license on top of another valid Enterprise license changes the behavior of the entire stack to the no-enforcement behavior.
Enterprise trial license
When you download Splunk software for the first time, you are asked to register. Your registration authorizes you to receive an Enterprise trial license, which allows a maximum indexing volume of 500 MB/day. The Enterprise trial license expires 60 days after you start using Splunk software. If you are using an Enterprise trial license and your license expires, Splunk requires you to switch to a Splunk Free license.
Once you have installed Splunk software, you can choose to run it with the Enterprise trial license until the license expires, purchase an Enterprise license, or switch to the Free license, which is included.
Note: The Enterprise trial license is also sometimes referred to as "download-trial."
Sales trial license
If you work with Splunk Sales, you can request trial Enterprise licenses of varying size and duration. The Enterprise trial license expires 60 days after you start using Splunk software. If you are preparing a pilot for a large deployment and have requirements for a longer duration or higher indexing volumes during your trial, contact Splunk Sales or your sales representative directly with your request.
With certain license programs you might have access to Dev/Test licenses to operate Splunk software in a non-production environment. If you are using a Dev/Test license, you will see a Dev/Test stamp on the left side of the navigation bar in Splunk Web. The Dev/Test personalized license can be used only for a single instance Splunk Enterprise deployment on version 6.5.0 or later.
Caution: A Dev/Test license does not stack with an Enterprise license. If you install a Dev/Test license with an Enterprise license, the Enterprise license file will be replaced.
The Free license includes 500 MB/day of indexing volume, is free (as in beer), and has no expiration date.
The following features that are available with the Enterprise license are disabled in Splunk Free:
- Multiple user accounts and role-based access controls
- Distributed search
- Forwarding in TCP/HTTP formats (you can forward data to other Splunk software instances, but not to non-Splunk software instances)
- Deployment management (including for clients)
- Authentication and user management, including native authentication, LDAP, and scripted authentication.
- There is no login. The command line or browser can access and control all aspects of Splunk software with no user/password prompt.
- You cannot add more roles or create user accounts.
- Searches are run against all public indexes, 'index=*' and restrictions on search such as user quotas, maximum per-search time ranges, search filters are not supported.
- The capability system is disabled, all capabilities are enabled for all users accessing Splunk software.
Compare license features
Consult this table for a comparison of major license types.
|Behavior or functionality||Enterprise pre-6.5.0||No-
|Personalized Dev/Test||Enterprise Trial||Free|
|Blocks search while in violation||yes||no||varies||yes||yes|
|Logs internally and displays message in Splunk Web when in warning or violation||yes||yes||yes||yes||yes|
|Stacks with other licenses||yes||yes||no||yes||no|
|Full Enterprise feature set||yes||yes||no||yes||no|
This license allows forwarding (but not indexing) of unlimited data, and also enables security on the instance so that users must supply username and password to access it. (The free license can also be used to forward an unlimited amount of data, but has no security.)
Forwarder licenses are included with Splunk; you do not have to purchase them separately.
Splunk offers several forwarder options:
- The universal forwarder has the license enabled/applied automatically; no additional steps are required post-installation.
- The light forwarder uses the same license, but you must manually enable it by changing to the Forwarder license group.
- The heavy forwarder must also be manually converted to the Forwarder license group. If any indexing is to be performed, the instance should instead be given access to an Enterprise license stack. Read Groups, stacks, pools, and other terminology for more information about Splunk license terms.
Splunk's Beta releases require a different license that is not compatible with other Splunk releases. Also, if you are evaluating a Beta release of Splunk, it will not run with a Free or Enterprise license. Beta licenses typically enable Enterprise features, they are just restricted to Beta releases. If you are evaluating a Beta version of Splunk, it will come with its own license.
Licenses for search heads (for distributed search)
A search head is a Splunk instance that distributes searches to other Splunk indexers. Although search heads don't usually index any data locally, you will still want to use a license to restrict access to them.
There is no special type of license specifically for search heads, that is to say, there is no "Search head license". However, you must have an Enterprise license to configure a search head. Splunk recommends that you add the search heads to an Enterprise license pool even if they are not expected to index any data. Read Groups, stacks, pools, and other terminology and Create or edit a license pool.
Note: If your existing search head has a pre-4.2 forwarder license installed, the forwarder license will not be read after you upgrade.
Licenses for search head cluster members
A search head cluster is a group of search heads that coordinate their activities. Each search head in a search head cluster is known as a member.
Each search head cluster member has the same licensing requirements as a standalone search head. See System requirements and other deployment considerations for search head clusters in Distributed Search.
Licenses for indexer cluster nodes (for index replication)
As with any Splunk deployment, your licensing requirements are driven by the volume of data your indexers process. Contact your Splunk sales representative to purchase additional license volume.
There are just a few license issues that are specific to index replication:
- All cluster nodes, including masters, peers, and search heads, need to be in an Enterprise license pool, even if they're not expected to index any data.
- Cluster nodes must share the same licensing configuration.
- Only incoming data counts against the license; replicated data does not.
- You cannot use index replication with a Free license.
Read more about System requirements and other deployment considerations in Managing Indexers and Clusters of Indexers.
How Splunk Enterprise licensing works
Groups, stacks, pools, and other terminology
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2