Splunk® Enterprise

Admin Manual

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

About Splunk Free

If you want to run Splunk Enterprise to practice searches, data ingestion, and other tasks without worrying about a license, Splunk Free is the tool for you.

  • The Free license gives very limited access to Splunk Enterprise features.
  • The Free license is for a standalone, single-instance use only installation.
  • The Free license does not expire.
  • The Free license allows you to index 500 MB per day. If you exceed that you will receive a license violation warning.
  • The Free license will prevent searching if there are a number of license violation warnings.

Is Splunk Free for you?

The major limitations of Splunk Free are the license volume restriction and removed features.

  • Will you ingest less than or up to 500 MB per day of data? At that volume of data per day, you will use around 7GB of storage space per month.
  • Are you planning to ingest a large (over 500 MB per day) data set only once, and then analyze it? The Splunk Free license lets you bulk load a much larger data sets up to 2 times within a 30 day period. This can be useful for forensic review of large data sets.
  • The Free license will prevent searching if there are 3 license warnings in a rolling 30 day window. If that happens, Splunk Free continues to index your data but disables search functionality. You will regain search when you are below 3 license violation warnings in a 30 day period. See About license violations.

What features are disabled on Splunk Free?

Splunk Free is for standalone, single-instance use only installations. Most Splunk Enterprise features are available on the Free license, with the following exceptions:

  • Alerting (monitoring) is not available.
  • There are no users or roles. This means:
    • There is no login. You are passed straight into Splunk Web as an administrator-level user.
    • The command line or browser can access and control all aspects of Splunk Free with no user and password prompt.
    • There is only the admin role, and it is not configurable. You cannot add roles or create user accounts.
    • Restrictions on search, such as user quotas, maximum per-search time ranges, and search filters are not supported.
  • Distributed search configurations including search head clustering are not available.
  • Deployment management capabilities are not available.
  • Indexer clustering is not available.
  • Forwarding in TCP/HTTP formats is not available. This means you can forward data from a Free license instance to other Splunk platform instances, but not to non-Splunk software.
  • Report acceleration summaries are not available.

How do I get Splunk Enterprise with the Free license?

  1. Create your user account on splunk.com.
  2. Review the list of supported operating systems for the "Free" license in Supported Operating Systems.
  3. Download the latest version of Splunk Enterprise for your operating system from Free Trials and Downloads on splunk.com. Login required.
  4. Use the installation instructions for your operating system. See Installation instructions.
    1. After installation, you'll have an Enterprise Trial license for 60 days. You can change to the Free license at any point before the Enterprise Trial is complete. See Switching to Free from an Enterprise Trial license.
  5. If this is the first time you have installed Splunk Enterprise, see the Search Tutorial to learn how to index data into Splunk software and search that data using the Splunk Enterprise search language.

Switching to Free from an Enterprise Trial license

When you first download and install Splunk Enterprise, an Enterprise Trial license is created and enabled by default. You can continue to use the Enterprise Trial license until it expires, or switch to the Free license right away depending on your requirements.

What you should know about switching to Free

Splunk Enterprise Trial gives you access to a number of features that are not available in Splunk Free. When you switch, be aware of the following:

  • Any alerts you defined no longer trigger. You no longer receive alerts from Splunk software. You can still schedule searches to run for dashboards and summary indexing purposes.
  • Configurations in outputs.conf to forward to third-party applications in TCP or HTTP formats do not work.
  • User accounts or roles that you created no longer work.
    • Anyone connecting to the instance will automatically be logged on as admin. You will no longer see a login screen.
  • Any knowledge objects created by any user other than admin (such as event type, transaction, or source type definitions) and not already globally shared will not be available. If you need these knowledge objects to continue to be available after you switch to Splunk Free, you can do one of the following:

When you attempt to make any of the above configurations in Splunk Web while using an Enterprise Trial license, you will be warned about the limitations in Splunk Free.

How do I switch to the Splunk Free license?

You can change from the Enterprise Trial license to a Free license at any time. To switch licenses:

  1. Log in to Splunk Web as a user in the admin role
  2. Select Settings > Licensing
  3. Click Change License Group
  4. Select Free license
  5. Click Save
  6. You are prompted to restart

If your Enterprise Trial license has expired, use the above procedure except that you can only log into Splunk Web as the admin user. No other credentials will work.

If you need to reset your administrator account, see Unlock a user account in the Securing the Splunk Platform manual.

Switching to the Free license removes all authentication and the ability to create or define users. Once the services are restarted, there's no Splunk Web login page displayed. You are passed straight into Splunk Web as an administrator-level user.

Last modified on 11 November, 2022
Create or edit a license pool   Delete a license

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters