Licensing for Splunk Enterprise Security
Splunk Enterprise Security is a premium app, which is used in conjunction with Splunk Enterprise or Splunk Cloud Platform. This means that you must have Splunk Enterprise or Splunk Cloud Platform along with a Daily Indexing Volume or vCPU usage license to download the app from the Splunk Support portal.
For example, if you purchase a 1 GB Daily Indexing Volume license for Splunk Enterprise and purchase Splunk Enterprise Security app, you can only ingest 1 GB of data to use in Splunk Enterprise and Enterprise Security. You do not receive any additional ingestion capacity. However, you are entitled to use Splunk Enterprise Security on your ingested data.
Contact your Sales representative to get pricing details based on your specific workload. Splunk Enterprise Security monitors Splunk indexes for Daily Indexing Volume and vCPU consumption, irrespective of whether you are using the on-prem or the cloud version.
Splunk monitors daily indexing volume into Splunk and the use of that data for security use cases. Splunk also monitors the vCPU usage based on the data summarized in Splunk Enterprise Security specific summary and metrics indexes. For more information, see Use Summary indexing for increased search efficiency.
License usage is measured on Daily Indexing Volume for data sources, vCPUs, and SVC. For more information, see Splunk Offerings Purchase Capacity and Limitations.
To calculate capacity consumption for ingest-based licenses for premium apps such as Splunk Enterprise Security, use the Splunk App for Chargeback. For more information, see Track data ingestion for premium apps in the Splunk Enterprise Security Installation and Upgrade manual.
About Splunk Enterprise Security
Use behavioral analytics service with Splunk Enterprise Security 7.1.0 or higher
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0