Splunk® Enterprise

Admin Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Types of Splunk software licenses

Each Splunk software instance requires a license. Splunk licenses specify how much data a given Splunk platform instance can index and what features you have access to. This topic discusses the various license types and options.

There are several types of licenses, including:

  • The Enterprise license enables all Enterprise features, such as authentication and distributed search. There are several types of Enterprise licenses, including the Enterprise Trial license, which enables the full set of Enterprise features for a limited time and with limited volume.
  • The Free license allows for a limited indexing volume, and disables some features, including authentication. The Free license is perpetual.
  • The Forwarder license allows you to forward, but not index, data, and it enables authentication.
  • The Beta license typically enables Enterprise features, but is restricted to Splunk Beta releases.
  • A license for a premium app is used in conjunction with an Enterprise or Cloud license to access the functionality of an app.

Also discussed in this topic are licensing considerations for a deployment including distributed search or indexer clustering.

For information about upgrading a pre-4.2 license, see Migrate to the new Splunk Enterprise licenser in the Installation Manual.

Splunk Enterprise licenses

A Splunk Enterprise license is a standard Splunk software license. It allows you to use all Splunk Enterprise features, including authentication, distributed search, deployment management, scheduling of alerts, and role-based access controls. Enterprise licenses are available for purchase and can be any indexing volume. Contact Splunk Sales for more information.

The following are additional types of Enterprise licenses, which include all the same features:

No-enforcement license

If your license master is running Splunk Enterprise 6.5.0 or later, you can use a no-enforcement Enterprise license. This new license type allows users to keep searching even if you acquire five warnings in a 30 day window. Your license master still considers itself in violation, but search is not blocked.

A no-enforcement license stacks with other Enterprise licenses. Stacking a no-enforcement license on top of another valid Enterprise license changes the behavior of the entire stack to the no-enforcement behavior.

Enterprise trial license

When you download Splunk software for the first time, you are asked to register. Your registration authorizes you to receive an Enterprise trial license, which allows a maximum indexing volume of 500 MB/day. The Enterprise trial license expires 60 days after you start using Splunk software. At that point, you must either purchase an Enterprise license or switch to a Free license with a limited feature set.

Sales trial license

If you work with Splunk Sales, you can request trial Enterprise licenses of varying size and duration. The Enterprise trial license expires 60 days after you start using Splunk software. If you are preparing a pilot for a large deployment and have requirements for a longer duration or higher indexing volumes during your trial, contact Splunk Sales or your sales representative directly with your request.

Dev/Test licenses

With certain license programs you might have access to Dev/Test licenses to operate Splunk software in a non-production environment. If you are using a Dev/Test license, you will see a Dev/Test stamp on the left side of the navigation bar in Splunk Web. The Dev/Test personalized license can be used only for a single instance Splunk Enterprise deployment on version 6.5.0 or later.

Caution: A Dev/Test license does not stack with an Enterprise license. If you install a Dev/Test license with an Enterprise license, the Enterprise license file will be replaced.

Free license

The Free license includes 500 MB/day of indexing volume, is free (as in beer), and has no expiration date.

The following features that are available with the Enterprise license are disabled in Splunk Free:

  • Multiple user accounts and role-based access controls
  • Distributed search
  • Forwarding in TCP/HTTP formats (you can forward data to other Splunk software instances, but not to non-Splunk software instances)
  • Deployment management (including for clients)
  • Alerting/monitoring
  • Authentication and user management, including native authentication, LDAP, and scripted authentication.
    • There is no login. The command line or browser can access and control all aspects of Splunk software with no user/password prompt.
    • You cannot add more roles or create user accounts.
    • Searches are run against all public indexes, 'index=*' and restrictions on search such as user quotas, maximum per-search time ranges, search filters are not supported.
    • The capability system is disabled, all capabilities are enabled for all users accessing Splunk software.

See More about Splunk Free.

Compare license features

Consult this table for a comparison of major license types.

Behavior or functionality Enterprise pre-6.5.0 No-
enforcement Enterprise
Personalized Dev/Test Enterprise Trial Free
Blocks search while in violation yes no varies yes yes
Logs internally and displays message in Splunk Web when in warning or violation yes yes yes yes yes
Stacks with other licenses yes yes no yes no
Full Enterprise feature set yes yes no yes no

Forwarder license

This license allows forwarding (but not indexing) of unlimited data, and also enables security on the instance so that users must supply username and password to access it. (The free license can also be used to forward an unlimited amount of data, but has no security.)

Forwarder licenses are included with Splunk; you do not have to purchase them separately.

Splunk offers several forwarder options:

  • The universal forwarder has the license enabled/applied automatically; no additional steps are required post-installation.
  • The light forwarder uses the same license, but you must manually enable it by changing to the Forwarder license group.
  • The heavy forwarder must also be manually converted to the Forwarder license group. If any indexing is to be performed, the instance should instead be given access to an Enterprise license stack. Read Groups, stacks, pools, and other terminology for more information about Splunk license terms.

Beta license

Splunk's Beta releases require a different license that is not compatible with other Splunk releases. Also, if you are evaluating a Beta release of Splunk, it will not run with a Free or Enterprise license. Beta licenses typically enable Enterprise features, they are just restricted to Beta releases. If you are evaluating a Beta version of Splunk, it will come with its own license.

Licenses for search heads (for distributed search)

A search head is a Splunk instance that distributes searches to other Splunk indexers. Although search heads don't usually index any data locally, you will still want to use a license to restrict access to them.

There is no special type of license specifically for search heads, that is to say, there is no "Search head license". However, you must have an Enterprise license to configure a search head. Splunk recommends that you add the search heads to an Enterprise license pool even if they are not expected to index any data. Read Groups, stacks, pools, and other terminology and Create or edit a license pool.

Note: If your existing search head has a pre-4.2 forwarder license installed, the forwarder license will not be read after you upgrade.

Licenses for search head cluster members

A search head cluster is a group of search heads that coordinate their activities. Each search head in a search head cluster is known as a member.

Each search head cluster member has the same licensing requirements as a standalone search head. See System requirements and other deployment considerations for search head clusters in Distributed Search.

Licenses for indexer cluster nodes (for index replication)

As with any Splunk deployment, your licensing requirements are driven by the volume of data your indexers process. Contact your Splunk sales representative to purchase additional license volume.

There are just a few license issues that are specific to index replication:

  • All cluster nodes, including masters, peers, and search heads, need to be in an Enterprise license pool, even if they're not expected to index any data.
  • Cluster nodes must share the same licensing configuration.
  • Only incoming data counts against the license; replicated data does not.
  • You cannot use index replication with a Free license.

Read more about System requirements and other deployment considerations in Managing Indexers and Clusters of Indexers.

Last modified on 20 June, 2018
How Splunk Enterprise licensing works
Licenses and distributed deployments

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters