Splunk® Enterprise

Inherit a Splunk Enterprise Deployment

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Learn about licensing

How Splunk Enterprise licensing works

Splunk Enterprise takes in data from sources that you designate and processes it so that you can analyze it. This process is called indexing. For information about the indexing process, see How Splunk software handles your data in Getting Data In.

Splunk Enterprise licenses specify how much data you can index per calendar day (from midnight to midnight by the clock on the license master).

Any Splunk Enterprise instance that performs indexing must be licensed to do so. You can either run a standalone indexer with a license installed locally, or you can configure one of your Splunk Enterprise instances as a license master and set up a license pool from which other indexers, configured as license slaves, can draw.

If you exceed your licensed daily volume on any one calendar day, you get a violation warning. If you have 5 or more warnings on an Enterprise license in a rolling 30-day period, you are in violation of your license. Unless you are using a Splunk Enterprise 6.5.0 or later no-enforcement license, search is disabled for the offending pool or pools. Other pools remain searchable, as long as the total license usage from all pools is less than the total license quota for the license master.

In addition to indexing volume, access to some Splunk Enterprise features requires an Enterprise license.

There are a few types of licenses, such as:

  • The Enterprise license enables all Enterprise features, such as authentication and distributed search. As of Splunk Enterprise 6.5.0, new Enterprise licenses are no-enforcement licenses.
  • The Free license allows for a limited indexing volume and disables some features, including authentication.
  • The Forwarder license allows you to forward data, but not index data, and enables local authentication only.
  • The Beta license typically enables Enterprise features, but is restricted to Splunk Beta releases.
  • A license for a premium app is used in conjunction with an Enterprise or Cloud license to access the functionality of an app.

For more information about different types of licenses, read Types of Splunk licenses in the Admin Manual.

Understand your licenses

Survey what licenses you have:

  1. Log into Splunk Web on your license master.
  2. Click Settings > Licensing.
  3. Make note of Enterprise and app licenses and their expiration dates.

Check your license usage:

  1. Log into Splunk Web on your license master.
  2. Click Settings > Licensing.
  3. Click License usage report.

See About the license usage report view in the Admin Manual. This view is also accessible from the Indexing tab of the monitoring console.

Monitor your license usage

To prevent license violations, set up alerts for expiring licenses and licenses nearing quota. You can use the two platform alerts included with the monitoring console.

For more information, see:

Update Support contact

Splunk licenses are tied to your organization's customer account at Splunk. A customer account typically has one or several employees that are authorized to received Splunk Support after some training, in addition to a Splunk portal administrator who manages the list of authorized contacts. Make sure you understand how your organization contacts Support, before you need to.

Last modified on 08 January, 2020
PREVIOUS
Review your system security
  NEXT
Monitor system health

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters