Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk Enterprise version 7.1 will no longer supported as of April 24, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Download topic as PDF

About Splunk Free

Splunk Free is the totally free version of Splunk software. The Free license lets you index up to 500 MB per day and will never expire.

The 500 MB limit refers to the amount of new data you can add (we call this indexing) per day. But you can keep adding data every day, storing as much as you want. For example, you could add 500 MB of data per day and eventually have 10 TB of data in Splunk Free.

If you need more than 500 MB/day, you'll need to purchase an Enterprise license. See How Splunk licensing works for more information about licensing.

Splunk Free regulates your license usage by tracking license violations. If you go over 500 MB/day more than 3 times in a 30 day period, Splunk Free continues to index your data, but disables search functionality until you are back down to 3 or fewer warnings in the 30 day period.

Is Splunk Free for you?

Splunk Free is designed for personal, ad hoc search and visualization of IT data. You can use Splunk Free for ongoing indexing of small volumes (<500 MB/day) of data. Additionally, you can use it for short-term bulk-loading and analysis of larger data sets--Splunk Free lets you bulk-load much larger data sets up to 3 times within a 30 day period. This can be useful for forensic review of large data sets.

What is included with Splunk Free?

Splunk Free is a single-user product. All Splunk Enterprise features are supported, with the following exceptions:

  • Distributed search configurations (including search head clustering) are not available.
  • Forwarding in TCP/HTTP formats is not available. This means you can forward data to other Splunk platform instances, but not to non-Splunk software.
  • Deployment management capabilities are not available.
  • Alerting (monitoring) is not available.
  • Indexer clustering is not available.
  • Report acceleration summaries are not available.
  • While a Splunk Free instance can be used as a forwarder (to a Splunk Enterprise indexer) it cannot be the client of a deployment server.
  • There is no authentication or user and role management when using Splunk Free. This means:
    • There is no login. The command line or browser can access and control all aspects of Splunk Free with no user and password prompt.
    • All accesses are treated as equivalent to the admin user. There is only one role (admin), and it is not configurable. You cannot add more roles or create user accounts.
    • Searches are run against all public indexes, 'index=*'.
    • Restrictions on search, such as user quotas, maximum per-search time ranges, and search filters, are not supported.
    • The capability system is disabled. All available capabilities are enabled for all users accessing Splunk Free.

Switching to Free from an Enterprise Trial license

When you first download and install Splunk, you are automatically using an Enterprise Trial license. You can continue to use the Enterprise Trial license until it expires, or switch to the Free license right away, depending on your requirements.

What you should know about switching to Free

Splunk Enterprise Trial gives you access to a number of features that are not available in Splunk Free. When you switch, be aware of the following:

  • User accounts or roles that you created no longer work.
  • Anyone connecting to the instance will automatically be logged on as admin. You will no longer see a login screen, though you will see the update check occur.
  • Any knowledge objects created by any user other than admin (such as event type, transaction, or source type definitions) and not already globally shared will not be available. If you need these knowledge objects to continue to be available after you switch to Splunk Free, you can do one of the following:
  • Any alerts you defined no longer trigger. You no longer receive alerts from Splunk software. You can still schedule searches to run for dashboards and summary indexing purposes.
  • Configurations in outputs.conf to forward to third-party applications in TCP or HTTP formats do not work.

When you attempt to make any of the above configurations in Splunk Web while using an Enterprise Trial license, you will be warned about the above limitations in Splunk Free.

How do I switch to Splunk Free?

You can change from the Enterprise Trial license to a Free license at any time. To switch licenses:

  1. Log in to Splunk Web as a user in the admin role
  2. Select Settings > Licensing
  3. Click Change License Group
  4. Select Free license
  5. Click Save
  6. You are prompted to restart

If your Enterprise Trial license has expired, use the same procedure except that you can only log into Splunk Web as the admin user. No other credentials will work.

Switching to the Free license removes all authentication and the ability to create or define users. Once the services are restarted, there's no Splunk Web login page displayed. You are passed straight into Splunk Web as an administrator-level user.

Last modified on 03 February, 2020
Introduction for Windows admins
Differences between *nix and Windows in Splunk operations

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2



You can apply a license via the command line (CLI).


It would be similar to what's shown in the example:

splunk add licenses $SPLUNK_HOME/etc/licenses/enterprise/enterprise.lic

Just change the path to match the actual location of the license file you upload to your Splunk system.

January 24, 2020

in Splunk Enterprise 8.x when the trial license expires you are not able to log in anymore. how can we follow the above steps?

January 22, 2020

Missing from this page is a link to what the actual License Terms actually are. To a legal mindset this page is a bit peculiar because it manages to not give any information at all about the "license", talking only about the license enforcement mechanism.

People do need to know what those legal terms are, to know if the Free license might be suitable.

PS. I *think* the answer is that the terms are the exact same as the Master Software License Agreement, but as per section 2.4, it states that the functionality is deliberately limited, there is no support, no warranty and no indemnity, so sections 7, 10 and 13 do not apply.

November 7, 2018

When switching from Enterprise to Free, it is asking me to upload a license file. Where can I get this license file for the Free version of Splunk?

August 27, 2018

I’m not sure if this necessarily needs to be documented but it would have been helpful. With the Splunk Free product, the _audit index does not log the search string. |history works, but you cannot view searches in index=_audit

October 13, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters