Splunk® Enterprise

Admin Manual

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Types of Splunk software licenses

Each Splunk software instance requires a license. Splunk licenses specify how much data a given Splunk platform instance can index and what features you have access to. This topic discusses the various license types and options.

There are several types of licenses, including:

  • The Enterprise license enables all Enterprise features, such as authentication and distributed search. There are several types of Enterprise licenses, including the Enterprise Trial license, which enables the full set of Enterprise features for a limited time and with limited volume.
  • The Free license allows for a limited indexing volume, and disables some features, including authentication.
  • The Forwarder license is for use with forwarders. It allows you to forward, but not index, data. It allows authentication.
  • The Beta license typically enables Enterprise features, but is restricted to Splunk Beta releases.
  • A license for a premium app is used in conjunction with an Enterprise or Cloud license to access the functionality of an app.

For information on how to configure licensing for a distributed deployment, consisting of multiple Splunk Enterprise instances, see Licenses and distributed deployments.

Splunk Enterprise licenses

There are several types of Splunk Enterprise licenses. They all include access to the same set of Splunk Enterprise features, including authentication, distributed search, deployment management, scheduling of alerts, and role-based access controls.

Standard Splunk Enterprise license

The standard Splunk Enterprise license is available for purchase and can be configured for any indexing volume. Contact Splunk Sales for information.

No-enforcement license

Starting with version 6.5, Splunk Enterprise no longer disables search when you exceed your licensed data ingestion quota. Users can keep searching even if the license master acquires five license violation warnings in a 30 day window. The license master is still in violation, but search is no longer blocked.

This no-enforcement behavior is built into all new Enterprise licenses for 6.5 or later.

If you purchased an Enterprise license prior to 6.5, you enable no-enforcement behavior by ugprading the license master to 6.5 or later and obtaining a no-enforcement license to stack with the Enterprise license. By stacking a no-enforcement license on top of a Enterprise license, you change the behavior of the entire stack to the no-enforcement behavior. If you already have a Splunk Enterprise license, no new purchase is required to obtain the no-enforcement license.

Enterprise Trial license

When you download Splunk software for the first time, you are asked to register. Your registration authorizes you to receive an Enterprise Trial license, which allows a maximum indexing volume of 500 MB/day. The Enterprise Trial license expires 60 days after you start using Splunk software. At that point, you must either purchase an Enterprise license or switch to a Free license with a limited feature set.

The Trial license is for standalone, single-instance use. For a trial Splunk Enterprise distributed deployment, consisting of multiple Splunk Enterprise instances, each instance must use its own Trial license. This differ from a distributed deployment running under a full Enterprise license, where you install the Enterprise license on a central license master and then simply point the other instances to the license master. See Configure a license master.

Sales Trial license

The standard Enterprise Trial license expires 60 days after you start using Splunk software and allows a maximum indexing volume of 500 MB/day. If you are preparing a pilot for a large deployment and have requirements for a trial of longer duration or higher indexing volume, contact Splunk Sales or your sales representative directly with your request.

Dev/Test licenses

Certain license programs provide access to Dev/Test licenses to operate Splunk software in a non-production environment. If you are using a Dev/Test license, you will see a Dev/Test stamp on the left side of the navigation bar in Splunk Web. The Dev/Test personalized license can be used only for a standalone Splunk Enterprise deployment.

A Dev/Test license does not stack with an Enterprise license. If you install a Dev/Test license over an Enterprise license, it replaces the Enterprise license file.

Free license

The Free license includes 500 MB/day of indexing volume, is free of charge, and has no expiration date.

A number of features that are available with the Enterprise license are disabled in Splunk Free, including:

  • Multiple user accounts and role-based access controls
  • Distributed search
  • Forwarding in TCP/HTTP formats (you can forward data to other Splunk software instances, but not to non-Splunk software instances)
  • Deployment management (including for clients)
  • Alerting/monitoring
  • Authentication and user management, including native authentication, LDAP, and scripted authentication.
    • There is no login. The command line or browser can access and control all aspects of Splunk software with no user and password prompt.
    • You cannot add more roles or create user accounts.
    • Searches are run against all public indexes.
    • Restrictions on search such as user quotas, maximum per-search time ranges, search filters are not supported.
    • The capability system is disabled. All capabilities are enabled for all users accessing Splunk software.

See More about Splunk Free.

Compare Splunk Enterprise license behavior

Consult this table for a comparison of the major Splunk Enterprise license types.

Behavior Pre-6.5 6.5+ (no-enforcement) Dev/Test Sales Trial Free
Blocks search while in violation yes no varies yes yes
Logs internally and displays message in Splunk Web when in warning or violation yes yes yes yes yes
Stacks with other licenses yes yes no yes no
Enables full Enterprise feature set yes yes no yes no

Forwarder license

The Forwarder license allows forwarding of unlimited data. Unlike a Free license, it enables authentication.

The Forwarder license is available only for instances that simply forward data. It is not valid for use on instances that also perform additional functions, such as indexing.

Forwarder licenses are included with Splunk. You do not need to purchase them separately.

There are several types of forwarders:

  • The universal forwarder has the Forwarder license applied automatically.
  • The light forwarder uses the Forwarder license, but you must manually enable it by changing to the Forwarder license group.
  • The heavy forwarder must also be manually converted to the Forwarder license group. If the heavy forwarder will also be performing indexing, the forwarder must instead have access to an Enterprise license.

Beta license

Splunk's Beta releases require their own Beta licenses, which are not compatible with other Splunk releases.

Beta licenses typically enable Enterprise features, but only for the specified Beta release.

Last modified on 09 March, 2019
How Splunk Enterprise licensing works   Licenses and distributed deployments

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters