Obtain and configure a Splunk Phantom license
From the main menu, select Administration > Company Settings > License to view information about the license on your system.
There are three types of licenses available for Splunk Phantom:
- Community License
This is the default, free license for everyone who registers for Splunk Phantom Community access and downloads Splunk Phantom. This license is limited to a set number of actions per day. See Community License.
- Event-based License
This license type is based on the number of events updated in the twenty-four hour tracking period. Individual licenses vary in terms of volume.
- Seat-based License
This license is governed by the number of users allowed to log in to Splunk Phantom. Seat-based licensing is available in blocks of five seats and can vary by the number of tenants.
The number of tenants is purchased as an additional parameter for both event-based and seat-based licenses.
If a license is removed or expires, Splunk Phantom reverts to the community license.
Splunk Phantom installs with a default license, the Community License. The Community License is limited to:
- 100 licensed actions per day
- 50 containers
- 1 tenant
- 5 cases in the New or Open states
Splunk Phantom licensed actions
Using these actions via the REST API, a Playbook, or by executing an action in the Splunk Phantom graphical user interface counts as a licensed action. When used in the Visual Playbook Editor's debugger, these actions are not counted against the number of licensed actions.
No actions called from the Visual Playbook Editor's debugger count as a licensed action.
The action limit is specifically the number of actions run, as opposed to Playbooks run. Running one Playbook may invoke several actions. Also, an action run against multiple assets will count as only one action. Keep this in mind if you are managing the number of actions taken per day.
The Event-based license limits events.
An event is a container. A container is a top-level composite object that collects artifacts. An event-based license tracks the number of events that are updated in the twenty-four hour tracking period.
Customers using a seat-based license are limited to a number of user accounts that can log in to Splunk Phantom. This number includes local accounts in Splunk Phantom and accounts authenticated or managed by external services such as SAML2, LDAP, or OpenID. The built-in user accounts for the automation and the admin users do not count against a seat-based license. Other users assigned the admin role still count against a seat-based license.
Seat limits must be purchased in increments of five.
Obtaining a license
To obtain a license, you must submit a license request and obtain a Splunk Phantom license file.
To obtain a trial license for Splunk Phantom, contact the Splunk Phantom Sales department.
To request an updated copy of a current Splunk Phantom license, open a license request case at https://support.splunk.com or call +1(855)SPLUNK-S or +1(855)775-8657.
International Splunk Support numbers are located at https://www.splunk.com/en_us/about-us/contact.html#tabs/customer-support.
The number of events permitted and expiration of the license is based on the terms listed in your company's entitlement.
Once you have your license file:
- From the main menu, select Administration.
- Select Company Settings > License.
- Click Upload Key.
- Provide the location of the key file on your system.
- Click Accept & Install. The license is applied automatically.
The information obtained from the license file is displayed on the page.
If any of the information shown is incorrect or you experience any difficulty loading the license file, open a support case at https://support.splunk.com or call +1(855)SPLUNK-S or +1(855)775-8657.
Configure the ROI Settings dashboard
Configure a source control repository for your Splunk Phantom playbooks
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7