Licenses and distributed deployments
Note: This topic does not pertain to standalone Splunk Enterprise deployments, which consist of a single Splunk Enterpirse instance plus forwarders. For a standalone deployment, simply install the license appropriate to your needs directly on the instance. See Types of Splunk software licenses.
Distributed Splunk Enterprise deployments consist of multiple Splunk Enterprise instances. Separate instances perform various functions such as indexing and search management. Each instance is categorized as one or more component types, based on the functions that it performs. In most cases, an instance serves as just a single component, but it is possible for an instance sometimes to combine the functionality of several components.
See Scale your deployment with Splunk Enterprise components and Components that help to manage your deployment in Distributed Deployment.
This topic discusses the license requirements for each component type. For more information on the types of licenses discussed in this topic, see Types of Splunk software licenses.
In a distributed deployment, most Splunk Enterprise instances need access to an Enterprise license:
- Instances need access to an Enterprise license, unless they are functioning only as forwarders. They need this access even if they will not be indexing external data, because the defining features of a distributed deployment, such as distributed search, are available only with Enterprise licenses. For information on the set of features that require an Enterprise license, see About Splunk Free.
- Forwarders need only a Forwarder license, as long as they are functioning solely as forwarders. If they are also performing functions such as indexing data or managing searches, they need access to an Enterprise license.
The recommended way to give instances access to an Enterprise license is to make them slaves of a license master.
This table provides a summary of the license needs for the various Splunk Enterprise component types.
|Component type||License type||Notes|
|Indexer cluster master node||Enterprise|
|Search head cluster deployer||Enterprise|
|Heavy forwarder||Forwarder||Heavy forwarders that index data need access to an Enterprise license instead of a Forwarder license.|
Components and licensing issues
Indexers index, store, and search external data.
To participate in a distributed deployment, indexers need access to an Enterprise license. The data that indexers ingest is metered against the license.
A search head is a Splunk Enterprise instance that manages searches.
Search heads need access to an Enterprise license.
Forwarders ingest data and forward that data to another forwarder or an indexer. Because data is not metered until it is actually indexed, forwarders do not usually incur license usage.
In most distributed deployments, forwarders need a Forwarder license.
There are several types of forwarders:
- The universal forwarder has the Forwarder license applied automatically.
- The light forwarder uses the Forwarder license, but you must manually enable it by changing to the Forwarder license group.
- The heavy forwarder must also be manually converted to the Forwarder license group. If the heavy forwarder will be performing indexing, the forwarder must instead have access to an Enterprise license.
Note: A forwarder can use the Free license instead of a Forwarder license, but some important functionality is unavailable with a Free license. In particular, a forwarder using a Free license cannot be a deployment client and it cannot make use of authentication. See About Splunk Free.
Management components include the deployment server, the indexer cluster master node, the search head cluster deployer, and the monitoring console. For information on management components, see Components that help to manage your deployment.
All Splunk Enterprise instances functioning as management components need access to an Enterprise license.
Clustered deployments and licensing issues
Indexer cluster nodes
An indexer cluster is a group of indexers that replicate data to promote high availability and disaster recovery. Besides indexers, referred to as "peer nodes" in this context, indexer clusters include other node types; specifically, a master node and one or more search head nodes.
Each indexer cluster node requires an Enterprise license. There are a few license issues that are specific to indexer clusters:
- Cluster nodes must all share the same licensing configuration.
- Only incoming data counts against the license; replicated data does not.
Search head cluster members
Each search head cluster member needs access to an Enterprise license.
The search head cluster deployer, which distributes apps to the members, also needs access to an Enterprise license.
Types of Splunk software licenses
Allocate license volume
This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.1.0, 7.1.1, 7.1.2, 7.1.3