Types of Splunk software licenses
Each Splunk software instance requires a license. Splunk licenses specify how much data a given Splunk platform instance can index and what features you have access to. This topic discusses the various license types and options.
There are several types of licenses, including:
- The Enterprise license enables all Enterprise features, such as authentication and distributed search. There are several types of Enterprise licenses, including the Enterprise Trial license, which enables the full set of Enterprise features for a limited time and with limited volume.
- The Free license allows for a limited indexing volume, and disables some features, including authentication.
- The Forwarder license is for use with forwarders. It allows you to forward, but not index, data. It allows authentication.
- The Beta license typically enables Enterprise features, but is restricted to Splunk Beta releases.
- A license for a premium app is used in conjunction with an Enterprise or Cloud license to access the functionality of an app.
For information on how to configure licensing for a distributed deployment, consisting of multiple Splunk Enterprise instances, see Licenses and distributed deployments.
Splunk Enterprise licenses
There are several types of Splunk Enterprise licenses. They all include access to the same set of Splunk Enterprise features, including authentication, distributed search, deployment management, scheduling of alerts, and role-based access controls.
Standard Splunk Enterprise license
The standard Splunk Enterprise license is available for purchase and can be configured for any indexing volume. Contact Splunk Sales for information.
Starting with version 6.5, Splunk Enterprise no long disables search when you exceed your licensed data ingestion quota. Users can keep searching even if the license master acquires five license violation warnings in a 30 day window. The license master is still in violation, but search is no longer blocked.
This no-enforcement behavior is built into all new Enterprise licenses for 6.5 or later.
If you purchased an Enterprise license prior to 6.5, you enable no-enforcement behavior by ugprading the license master to 6.5 or later and obtaining a no-enforcement license to stack with the Enterprise license. By stacking a no-enforcement license on top of a Enterprise license, you change the behavior of the entire stack to the no-enforcement behavior. If you already have a Splunk Enterprise license, no new purchase is required to obtain the no-enforcement license.
Enterprise Trial license
When you download Splunk software for the first time, you are asked to register. Your registration authorizes you to receive an Enterprise Trial license, which allows a maximum indexing volume of 500 MB/day. The Enterprise Trial license expires 60 days after you start using Splunk software. At that point, you must either purchase an Enterprise license or switch to a Free license with a limited feature set.
The Trial license is for standalone, single-instance use. For a trial Splunk Enterprise distributed deployment, consisting of multiple Splunk Enterprise instances, each instance must use its own Trial license. This differ from a distributed deployment running under a full Enterprise license, where you install the Enterprise license on a central license master and then simply point the other instances to the license master. See Configure a license master.
Sales Trial license
The standard Enterprise Trial license expires 60 days after you start using Splunk software and allows a maximum indexing volume of 500 MB/day. If you are preparing a pilot for a large deployment and have requirements for a trial of longer duration or higher indexing volume, contact Splunk Sales or your sales representative directly with your request.
Certain license programs provide access to Dev/Test licenses to operate Splunk software in a non-production environment. If you are using a Dev/Test license, you will see a Dev/Test stamp on the left side of the navigation bar in Splunk Web. The Dev/Test personalized license can be used only for a standalone Splunk Enterprise deployment.
A Dev/Test license does not stack with an Enterprise license. If you install a Dev/Test license over an Enterprise license, it replaces the Enterprise license file.
The Free license includes 500 MB/day of indexing volume, is free of charge, and has no expiration date.
A number of features that are available with the Enterprise license are disabled in Splunk Free, including:
- Multiple user accounts and role-based access controls
- Distributed search
- Forwarding in TCP/HTTP formats (you can forward data to other Splunk software instances, but not to non-Splunk software instances)
- Deployment management (including for clients)
- Authentication and user management, including native authentication, LDAP, and scripted authentication.
- There is no login. The command line or browser can access and control all aspects of Splunk software with no user/password prompt.
- You cannot add more roles or create user accounts.
- Searches are run against all public indexes, 'index=*' and restrictions on search such as user quotas, maximum per-search time ranges, search filters are not supported.
- The capability system is disabled, all capabilities are enabled for all users accessing Splunk software.
Compare Splunk Enterprise license behavior
Consult this table for a comparison of the major Splunk Enterprise license types.
|Behavior||Pre-6.5||6.5+ (no-enforcement)||Dev/Test||Sales Trial||Free|
|Blocks search while in violation||yes||no||varies||yes||yes|
|Logs internally and displays message in Splunk Web when in warning or violation||yes||yes||yes||yes||yes|
|Stacks with other licenses||yes||yes||no||yes||no|
|Enables full Enterprise feature set||yes||yes||no||yes||no|
The Forwarder license allows forwarding of unlimited data. Unlike a Free license, it enables authentication.
The Forwarder license is available only for instances that simply forward data. It is not valid for use on instances that also perform additional functions, such as indexing.
Forwarder licenses are included with Splunk. You do not need to purchase them separately.
There are several types of forwarders:
- The universal forwarder has the Forwarder license applied automatically.
- The light forwarder uses the Forwarder license, but you must manually enable it by changing to the Forwarder license group.
- The heavy forwarder must also be manually converted to the Forwarder license group. If the heavy forwarder will also be performing indexing, the forwarder must instead have access to an Enterprise license.
Splunk's Beta releases require their own Beta licenses, which are not compatible with other Splunk releases.
Beta licenses typically enable Enterprise features, but only for the specified Beta release.
How Splunk Enterprise licensing works
Licenses and distributed deployments
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0