Related Answers
Download topic as PDF
Learn about licensing
How Splunk Enterprise licensing works
Splunk Enterprise takes in data from sources that you designate and processes it so that you can analyze it. This process is called indexing. For information about the indexing process, see How Splunk software handles your data in Getting Data In.
Splunk Enterprise licenses specify how much data you can index per calendar day (from midnight to midnight by the clock on the license manager).
Any Splunk Enterprise instance that performs indexing must be licensed to do so. You can either run a standalone indexer with a license installed locally, or you can configure one of your Splunk Enterprise instances as a license manager and set up a license pool from which other indexers, configured as license peers, can draw.
If you exceed your licensed daily volume on any one calendar day, you get a violation warning. If you have 5 or more warnings on an Enterprise license in a rolling 30-day period, you are in violation of your license. Unless you are using a Splunk Enterprise 6.5.0 or later no-enforcement license, search is disabled for the violating pools. Other pools remain searchable, as long as the total license usage from all pools is less than the total license quota for the license manager.
In addition to indexing volume, access to some Splunk Enterprise features requires an Enterprise license.
There are a few types of licenses, such as:
- The Enterprise license enables all Enterprise features, such as authentication and distributed search. As of Splunk Enterprise 6.5.0, new Enterprise licenses are no-enforcement licenses.
- The Free license allows for a limited indexing volume and disables some features, including authentication.
- The Forwarder license allows you to forward data, but not index data, and enables local authentication only.
- The Beta license typically enables Enterprise features, but is restricted to Splunk Beta releases.
- A license for a premium app is used in conjunction with an Enterprise or Cloud license to access the functionality of an app.
For more information about different types of licenses, read Types of Splunk licenses in the Admin Manual.
Understand your licenses
Survey what licenses you have:
- Log into Splunk Web on your license manager.
- Click Settings > Licensing.
- Make note of Enterprise and app licenses and their expiration dates.
Check your license usage:
- Log into Splunk Web on your license manager.
- Click Settings > Licensing.
- Click License usage report.
See About the license usage report view in the Admin Manual. This view is also accessible from the Indexing tab of the monitoring console.
Monitor your license usage
To prevent license violations, set up alerts for expiring licenses and licenses nearing quota. You can use the two platform alerts included with the monitoring console.
For more information, see:
- Platform alerts in Monitoring Splunk Enterprise.
- About license violations in the Admin Manual.
Update Support contact
Splunk licenses are tied to your organization's customer account at Splunk. A customer account typically has one or several employees that are authorized to received Splunk Support after some training, in addition to a Splunk portal administrator who manages the list of authorized contacts. Make sure you understand how your organization contacts Support, before you need to.
|
PREVIOUS Review security configurations and certificates |
NEXT Monitor system health |
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1
Feedback submitted, thanks!