Splunk® Enterprise

Admin Manual

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

How Splunk Enterprise licensing works

Splunk Enterprise ingests external data, indexes it, and stores it on disk. For details on this process, see How indexing works in Managing Indexes and Clusters of Indexers.

Licenses specify how much external data you can index per day.

All Splunk Enterprise instances require a license. If you have a standalone indexer, you can install the license locally. If, instead, you have a distributed deployment, consisting of multiple Splunk Enterprise instances, you must configure one of the instances as a license master. You then set up a license pool from which the other instances, configured as license slaves, can draw. See Licenses and distributed deployments.

Multiple types of licenses are available, to accommodate a variety of needs. See Types of Splunk licenses.

How data is metered

For event data, data volume is based on the amount of raw external data that the indexer ingests into its indexing pipeline, after any filtering. It is not based on the amount of compressed data that gets written to disk.

For metrics data, each metric event counts as a fixed 150 bytes. Metrics data does not use a separate license. Rather, it draws from the same license quota as event data.

Summary indexing volume does not count against your license. Internal indexes, such as _internal and _introspection, also do not count against your license.

The Splunk Enterprise trial license

When you first install an instance of Splunk Enterprise, the instance has access to a 60 day trial license. This license allows you to try all of the features of Splunk Enterprise for 60 days and to index up to 500 MB of data per day.

If you want to continue using Splunk Enterprise features after the 60 day trial expires, you must purchase an Enterprise license. Contact a Splunk sales rep to learn more.

If you do not install an Enterprise license after the 60 day trial expires, you can switch to Splunk Free. Splunk Free includes a subset of the features of Splunk Enterprise. It allows you to index up to 500 MB of data a day indefinitely. See About Splunk Free

Splunk Free does not include authentication. This means that any user can access your installation through Splunk Web or the CLI without providing credentials.

Additionally, Splunk Free does not include scheduled saved searches or alerts, so any saved searches or alerts that you configured during the trial license period will no longer run after you switch to Splunk Free.

Last modified on 20 July, 2021
About update checker data   Types of Splunk software licenses

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters