Splunk® Enterprise

Admin Manual

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

How Splunk Enterprise licensing works

When data is sent to the Splunk platform, that data is indexed and stored on disk. Part of the indexing process is to measure the volume of data being ingested, and report that volume to the license manager for license volume tracking.

How data is measured

When ingesting event data, the measured data volume is based on the raw data that is placed into the indexing pipeline. It is not based on the amount of compressed data that is written to disk. Because the data is measured at the indexing pipeline, data that is filtered and dropped prior to indexing does not count against the license volume quota.

When ingesting metrics data, each metric event is measured by volume like event data. However, the per-event size measurement is capped at 150 bytes. Metric events that exceed 150 bytes are recorded as only 150 bytes. Metric events less than 150 bytes are recorded as event size in bytes plus 18 bytes, up to a maximum of 150 bytes. Metrics data draws from the same license quota as event data.

Data that is not measured

The Splunk software troubleshooting and internal communications logs that are indexed into the internal indexes such as _internal and _introspection do not count against your license volume quota.

The use of summary indexing and metric rollup summaries do not count against your license volume quota.

What happens if I exceed my license volume?

License warnings occur when you exceed the indexing volume allowed for your license. The indexing volume is measured daily from midnight to midnight using the system clock on the license manager. See About license violations.

How vCPU is calculated for infrastructure licensing

For Splunk software, a vCPU is any logical CPU core as reported by the host operating system. A vCPU can represent a physical core, a logical core created through the use of hyper-threading or simultaneous multithreading, or a shared logical CPU provided through virtualization. The term vCPU is commonly used when provisioning resources in virtualized environments and in cloud infrastructure allocations; but each implementation of vCPU is unique.

Splunk software uses the CPU's reported by the OS as the total vCPU's for each measured node.

Which nodes are measured for vCPU use?

The total vCPU count across all Splunk Enterprise search heads and indexers count towards the vCPU licensed capacity.

To check the vCPU count in your deployment, use the Resource Usage: CPU Usage dashboards in the Monitoring Console, and filter the report for the search head and indexer roles. See Resource Usage: CPU Usage in the Monitoring Splunk Enterprise manual.

License types and license management

There are multiple types of Splunk software licenses available, see Types of Splunk licenses.

To learn about Splunk software license management, see Allocate license volume.

Last modified on 04 May, 2023
Share performance and usage data in Splunk Enterprise   Types of Splunk Enterprise licenses

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters