How Splunk Enterprise licensing works
Splunk Enterprise takes in data from sources you designate and processes it so that you can analyze it. We call this process indexing. For information about the exact indexing process, see How Splunk software handles your data in Getting Data In.
Splunk Enterprise licenses specify how much data you can index per calendar day (from midnight to midnight by the clock on the license master).
Any host in your Splunk Enterprise infrastructure that performs indexing must be licensed to do so. You can either run a standalone indexer with a license installed locally, or you can configure one of your Splunk Enterprise instances as a license master and set up a license pool from which other indexers, configured as license slaves, can draw.
In addition to indexing volume, access to some Splunk Enterprise features requires an Enterprise license. See Types of Splunk licenses.
About the connection between the license master and license slaves
When a license master instance is configured, and license slaves are added to it, the license slaves communicate their usage to the license master every minute. If the license master is unreachable for any reason, the license slave starts a 72 hour timer. If the license slave cannot reach the license master for 72 hours, search is blocked on the license slave (although indexing continues). Users cannot search data in the indexes on the license slave until that slave can reach the license master again.
Splunk Enterprise license lifecycle
When you first install a downloaded copy of Splunk Enterprise, that instance uses a 60 day Enterprise Trial license. This license allows you to try out all of the features in Splunk Enterprise for 60 days, and to index up to 500 MB of data per day.
Once the 60 day trial expires (and if you have not purchased and installed an Enterprise license), you are given the option to switch to Splunk Free. Splunk Free includes a subset of the features of Splunk Enterprise and is intended for use in standalone deployments and for short-term forensic investigations. It allows you to index up to 500 MB of data a day indefinitely.
Important: Splunk Free does not include authentication, scheduled searches, or alerting. This means that any user accessing your installation (via Splunk Web or the CLI) will not have to provide credentials. Additionally, scheduled saved searches or alerts will no longer fire.
If you want to continue using Splunk Enterprise features after the 60 day Trial expires, you must purchase an Enterprise license. Contact a Splunk sales rep to learn more.
Once you purchase and download an Enterprise license, you can install it on your instance and access Splunk Enterprise features. Read Types of Splunk licenses in this manual for information about Enterprise features.
How metrics data is metered
Unlike event data, metrics data counts against a license at a fixed 150 bytes per metric event. Metrics data does not have a separate license. Ingesting metrics data draws from the same license quota as event data.
About update checker data
Types of Splunk software licenses
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0