Splunk® Enterprise

Admin Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Types of Splunk software licenses

Each Splunk instance requires a license. Splunk licenses specify how much data a given Splunk instance can index and what features you have access to. This topic discusses the various license types and options.

In general, there are four types of licenses:

  • The Enterprise license enables all enterprise features, such as authentication and distributed search.
  • The Free license allows you a limited indexing volume and disables authentication, but is perpetual.
  • The Forwarder license allows you to forward, but not index, data and enables authentication.
  • The Beta license, typically enables enterprise features, but is restricted to Splunk Beta releases.

Also discussed in this topic are some special licensing considerations if your deployment includes distributed search or index replication.

For information about upgrading an existing license, see "Migrate to the new Splunk licenser" in the Installation Manual.

Enterprise license

Splunk Enterprise is the standard Splunk license. It allows you to use all Splunk Enterprise features, including authentication, distributed search, deployment management, scheduling of alerts, and role-based access controls. Enterprise licenses are available for purchase and can be any indexing volume. Contact Splunk Sales for more information.

The following are additional types of Enterprise licenses, which include all the same features:

Enterprise trial license

When you download Splunk for the first time, you are asked to register. Your registration authorizes you to receive an Enterprise trial license, which allows a maximum indexing volume of 500 MB/day. The Enterprise trial license expires 60 days after you start using Splunk. If you are running with a Enterprise trial license and your license expires, Splunk requires you to switch to a Splunk Free license.

Once you have installed Splunk, you can choose to run Splunk with the Enterprise trial license until it expires, purchase an Enterprise license, or switch to the Free license, which is included.

Note: The Enterprise trial license is also sometimes referred to as "download-trial."

Sales trial license

If you are working with Splunk Sales, you can request trial Enterprise licenses of varying size and duration. The Enterprise trial license expires 60 days after you start using Splunk. If you are preparing a pilot for a large deployment and have requirements for a longer duration or higher indexing volumes during your trial, contact Splunk Sales or your sales rep directly with your request.

Free license

The Free license includes 500 MB/day of indexing volume, is free (as in beer), and has no expiration date.

The following features that are available with the Enterprise license are disabled in Splunk Free:

  • Multiple user accounts and role-based access controls
  • Distributed search
  • Forwarding in TCP/HTTP formats (you can forward data to other Splunk instances, but not to non-Splunk instances)
  • Deployment management (including for clients)
  • Alerting/monitoring
  • Authentication and user management, including native authentication, LDAP, and scripted authentication.
    • There is no login. The command line or browser can access and control all aspects of Splunk with no user/password prompt.
    • You cannot add more roles or create user accounts.
    • Searches are run against all public indexes, 'index=*' and restrictions on search such as user quotas, maximum per-search time ranges, search filters are not supported.
    • The capability system is disabled, all capabilities are enabled for all users accessing Splunk.

Learn more about the free version of Splunk in this manual.

Forwarder license

This license allows forwarding (but not indexing) of unlimited data, and also enables security on the instance so that users must supply username and password to access it. (The free license can also be used to forward an unlimited amount of data, but has no security.)

Forwarder licenses are included with Splunk; you do not have to purchase them separately.

Splunk offers several forwarder options:

  • The universal forwarder has the license enabled/applied automatically; no additional steps are required post-installation.
  • The light forwarder uses the same license, but you must manually enable it by changing to the Forwarder license group.
  • The heavy forwarder must also be manually converted to the Forwarder license group. If any indexing is to be performed, the instance should instead be given access to an Enterprise license stack. Read "Groups, stacks, pools, and other terminology" in this manual for more information about Splunk license terms.

Beta license

Splunk's Beta releases require a different license that is not compatible with other Splunk releases. Also, if you are evaluating a Beta release of Splunk, it will not run with a Free or Enterprise license. Beta licenses typically enable Enterprise features, they are just restricted to Beta releases. If you are evaluating a Beta version of Splunk, it will come with its own license.

Licenses for search heads (for distributed search)

A search head is a Splunk instance that distributes searches to other Splunk indexers. Although search heads don't usually index any data locally, you will still want to use a license to restrict access to them.

There is no special type of license specifically for search heads, that is to say, there is no "Search head license". However, you must have an Enterprise license to configure a search head, and how you arrange for licensing for the search head depends on the version of Splunk:

  • In the past, for versions prior to 4.2, Splunk suggested using a separate forwarder license on each search head. This was simply because forwarder licenses do not allow indexing, but require authentication for access to the search head.
  • Now, for versions after 4.2, Splunk recommends that, instead of assigning a separate license to each peer, you add the search heads to an Enterprise license pool even if they are not expected to index any data. Read "Groups, stacks, pools, and other terminology" and "Create or edit a license pool."

Note: If your existing search head has a pre-4.2 forwarder license installed, the forwarder license will not be read after you upgrade.

Licenses for indexer cluster nodes (for index replication)

As with any Splunk deployment, your licensing requirements are driven by the volume of data your indexers process. Contact your Splunk sales representative to purchase additional license volume.

There are just a few license issues that are specific to index replication:

  • All cluster nodes, including masters, peers, and search heads, need to be in an Enterprise license pool, even if they're not expected to index any data.
  • Cluster nodes must share the same licensing configuration.
  • Only incoming data counts against the license; replicated data does not.
  • You cannot use index replication with a free license.

Read more about "System requirements and other deployment considerations" in the Managing Indexers and Clusters manual.

Last modified on 09 September, 2016
How Splunk Enterprise licensing works
Groups, stacks, pools, and other terminology

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters