Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

How Splunk licensing works

Splunk takes in data from sources you designate and processes it so that you can analyze it in Splunk. We call this process indexing. For information about the exact indexing process, refer to "What Splunk does with your data" in the Getting Data In Manual.

Splunk licenses specify how much data you can index per calendar day (from midnight to midnight by the clock on the license master).

Any host in your Splunk infrastructure that performs indexing must be licensed to do so. You can either run a standalone indexer with a license installed locally, or you can configure one of your Splunk instances as a license master and set up a license pool from which other indexers, configured as license slaves, can draw.

In addition to indexing volume, access to some Splunk Enterprise features requires an Enterprise license. For more information about different types of licenses, read "Types of Splunk licenses" in this manual.

For information about upgrading an existing license, see "Migrate to the new Splunk licenser" in the Installation Manual.

About the connection between the license master and license slaves

When a license master instance is configured, and license slaves are added to it, the license slaves communicate their usage to the license master every minute. If the license master is unreachable for any reason, the license slave starts a 24 hour timer. If the license slave cannot reach the license master for 24 hours, search is blocked on the license slave (although indexing continues). Users will not be able to search data in the indexes on the license slave until that slave can reach the license master again.

Splunk license lifecycle(s)

When you first install a downloaded copy of Splunk, that instance of Splunk is using a 60 day Trial Enterprise license. This license allows you to try out all of the Enterprise features in Splunk for 60 days, and to index up to 500 MB of data per day.

Once the 60 day trial expires (and if you have not purchased and installed an Enterprise license), you are given the option to switch to Splunk Free. Splunk Free includes a subset of the features of Splunk Enterprise and is intended for use in standalone deployments and for short-term forensic investigations. It allows you to index up to 500 MB of data a day indefinitely.

Important: Splunk Free does not include authentication or scheduled searches/alerting. This means that any user accessing your Splunk installation (via Splunk Web or the CLI) will not have to provide credentials. Additionally, scheduled saved searches/alerts will no longer fire.

If you want to continue using Splunk's Enterprise features after the 60 day Trial expires, you must purchase an Enterprise license. Contact a Splunk sales rep to learn more.

Once you've purchased and downloaded an Enterprise license, you can install it on your Splunk instance and access Splunk Enterprise features. Read "Types of Splunk licenses" in this manual for information about Enterprise features.

Secure your configuration
Types of Splunk software licenses

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters