How Splunk Enterprise licensing works
When data is sent to the Splunk platform, that data is indexed and stored on disk. Part of the indexing process is to measure the volume of data being ingested, and report that volume to the license manager for license volume tracking.
How data is measured
When ingesting event data, the measured data volume is based on the raw data that is placed into the indexing pipeline. It is not based on the amount of compressed data that is written to disk. Because the data is measured at the indexing pipeline, data that is filtered and dropped prior to indexing does not count against the license volume quota.
When ingesting metrics data, each metric event is measured by volume like event data. However, the per-event size measurement is capped at 150 bytes. Metric events that exceed 150 bytes are recorded as only 150 bytes. Metric events less than 150 bytes are recorded as event size in bytes plus 18 bytes, up to a maximum of 150 bytes. Metrics data draws from the same license quota as event data.
Data that is not measured
The Splunk software troubleshooting and internal communications logs that are indexed into the internal indexes such as
_introspection do not count against your license volume quota.
The use of summary indexing and metric rollup summaries do not count against your license volume quota.
What happens if I exceed my license volume?
License warnings occur when you exceed the indexing volume allowed for your license. The indexing volume is measured daily from midnight to midnight using the system clock on the license manager. See About license violations.
How vCPU is calculated for infrastructure licensing
For Splunk software, a vCPU is any logical CPU core as reported by the host operating system. A vCPU can represent a physical core, a logical core created through the use of hyper-threading or simultaneous multithreading, or a shared logical CPU provided through virtualization. The term vCPU is commonly used when provisioning resources in virtualized environments and in cloud infrastructure allocations; but each implementation of vCPU is unique.
Splunk software uses the CPU's reported by the OS as the total vCPU's for each measured node.
Which nodes are measured for vCPU use?
The total vCPU count across all Splunk Enterprise search heads and indexers count towards the vCPU licensed capacity.
To check the vCPU count in your deployment, use the Resource Usage: CPU Usage dashboards in the Monitoring Console, and filter the report for the search head and indexer roles. See Resource Usage: CPU Usage in the Monitoring Splunk Enterprise manual.
License types and license management
There are multiple types of Splunk software licenses available, see Types of Splunk licenses.
To learn about Splunk software license management, see Allocate license volume.
Share performance and usage data in Splunk Enterprise
Types of Splunk Enterprise licenses
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4
Feedback submitted, thanks!