Types of Splunk software licenses
Each Splunk software instance requires a license. Splunk licenses specify how much data a given instance can index and what features you have access to. This topic discusses the various license types and options.
There are several types of licenses, including:
- The Splunk Enterprise license enables all Splunk Enterprise features, such as authentication and distributed search. There are several types of Splunk Enterprise licenses, including the Splunk Enterprise Trial license, which enables the full set of Splunk Enterprise features for a limited time and with limited volume, and the Splunk for Industrial IoT license, which also gives access to specific apps.
- The Free license allows for a limited indexing volume, and disables some features, including authentication.
- The Forwarder license is for use with forwarders. It allows you to forward, but not index, data. It allows authentication.
- The Beta license typically enables Enterprise features, but is restricted to Splunk software Beta releases.
- A license for a premium app is used in conjunction with an Enterprise or Cloud license to access the functionality of an app.
For information on how to configure licensing for a distributed deployment, consisting of multiple Splunk Enterprise instances, see Licenses and distributed deployments.
Splunk Enterprise licenses
There are several types of Splunk Enterprise licenses. They all include access to the same set of Splunk Enterprise features, including authentication, distributed search, deployment management, scheduling of alerts, and role-based access controls.
Standard Splunk Enterprise license
The standard Splunk Enterprise license is available for purchase and can be configured for any indexing volume. Contact Splunk Sales for information.
Starting with version 6.5, Splunk Enterprise no longer disables search when you exceed your licensed data ingestion quota. Users can keep searching even if the license master acquires five license violation warnings in a 30 day window. The license master is still in violation, but search is no longer blocked.
This no-enforcement behavior is built into all new Enterprise licenses for 6.5 or later.
If you purchased an Enterprise license prior to 6.5, you enable no-enforcement behavior by upgrading the license master to 6.5 or later and obtaining a no-enforcement license to stack with the Enterprise license. By stacking a no-enforcement license on top of a Enterprise license, you change the behavior of the entire stack to the no-enforcement behavior. If you already have a Splunk Enterprise license, no new purchase is required to obtain the no-enforcement license.
Enterprise Trial license
When you download Splunk software for the first time, you are asked to register. Your registration authorizes you to receive an Enterprise Trial license, which allows a maximum indexing volume of 500 MB/day. The Enterprise Trial license expires 60 days after you start using Splunk software. At that point, you must either purchase an Enterprise license or switch to a Free license with a limited feature set.
The Trial license is for standalone, single-instance use. For a trial Splunk Enterprise distributed deployment, consisting of multiple Splunk Enterprise instances, each instance must use its own Trial license. This differs from a distributed deployment running under a full Enterprise license, where you install the Enterprise license on a central license master and then simply point the other instances to the license master. See Configure a license master.
Sales Trial license
The standard Enterprise Trial license expires 60 days after you start using Splunk software and allows a maximum indexing volume of 500 MB/day. If you are preparing a pilot for a large deployment and have requirements for a trial of longer duration or higher indexing volume, contact Splunk Sales or your sales representative directly with your request.
Certain license programs provide access to Dev/Test licenses to operate Splunk software in a non-production environment. If you are using a Dev/Test license, you will see a Dev/Test stamp on the left side of the navigation bar in Splunk Web. The Dev/Test personalized license can be used only for a standalone Splunk Enterprise deployment.
A Dev/Test license does not stack with an Enterprise license. If you install a Dev/Test license over an Enterprise license, it replaces the Enterprise license file.
The Free license includes 500 MB/day of indexing volume, is free of charge, and has no expiration date.
A number of features that are available with the Enterprise license are disabled in Splunk Free, including:
- Multiple user accounts and role-based access controls
- Distributed search
- Forwarding in TCP/HTTP formats (you can forward data to other Splunk software instances, but not to non-Splunk software instances)
- Deployment management (including for clients)
- Authentication and user management, including native authentication, LDAP, and scripted authentication.
- There is no login. The command line or browser can access and control all aspects of Splunk software with no user and password prompt.
- You cannot add more roles or create user accounts.
- Searches are run against all public indexes.
- Restrictions on search such as user quotas, maximum per-search time ranges, search filters are not supported.
- The capability system is disabled. All capabilities are enabled for all users accessing Splunk software.
Splunk for Industrial IoT license
Splunk for Industrial IoT has its own license which is not stackable with other licenses. This license gives you access to Splunk Enterprise and an entitlement for a set of apps. For details of what products are included, see Splunk for Industrial IoT.
For more information about this license, see Licensing for Splunk for Industrial IoT.
Compare Splunk Enterprise license behavior
Consult this table for a comparison of the major Splunk Enterprise license types.
|Behavior||Pre-6.5||6.5+ (no-enforcement)||Dev/Test||Sales Trial||Free||IoT|
|Blocks search while in violation||yes||no||varies||yes||yes||no|
|Logs internally and displays message in Splunk Web when in warning or violation||yes||yes||yes||yes||yes||yes|
|Stacks with other licenses||yes||yes||no||yes||no||no|
|Enables full Enterprise feature set||yes||yes||no||yes||no||yes|
The Forwarder license is an embedded license within Splunk Enterprise and the universal forwarder. It is designed to allow unlimited forwarding, along with a small subset of features needed for configuration management, authentication, and sending data.
The universal forwarder uses the Forwarder license by default. The other forwarder types; heavy forwarder and light forwarder must be configured to use the Forwarder license manually.
A heavy forwarder is often used to perform more complex functions than the Forwarder license allows. Access to features such as advanced authentication, alerting, distributed search, KVStore, and indexing require a Splunk Enterprise license. You can configure the heavy forwarder as a license slave to the license master to gain access to those features. See Manage license slaves
Beta software releases require their own Beta licenses, which are not compatible with other Splunk software releases.
Beta licenses typically enable Enterprise features, but only for the specified Beta release.
How Splunk Enterprise licensing works
Licenses and distributed deployments
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2