Splunk® Enterprise

Admin Manual

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Licenses and distributed deployments

Distributed Splunk Enterprise deployments consist of multiple Splunk Enterprise instances. Separate instances perform various functions such as indexing and search management. Each instance is categorized as one or more component types, based on the functions that it performs. See Scale your deployment with Splunk Enterprise components and Components that help to manage your deployment in Distributed Deployment. In most cases, an instance serves as just a single component, but it is possible for an instance sometimes to combine the functionality of several components.

This topic does not pertain to standalone Splunk Enterprise deployments, which consist of a single Splunk Enterprise instance plus forwarders. For a standalone deployment, simply install the appropriate license directly on the instance. See Install a license.

License requirements

All Splunk software instances must have a license.

  • Splunk Enterprise instances need access to an Enterprise license unless they are functioning only as forwarders. The license access is required even when they do not index external data. Access to specific features of a distributed deployment, such as distributed search and deployment server are only available with Enterprise licenses. The recommended way to connect instances to an Enterprise license is to associate the instance with a license manager. See Configure a license peer.
  • Universal forwarders only need a Forwarder license. If a heavy forwarder is performing additional functions such as indexing data or managing searches, it requires access to an Enterprise license.

This table provides a summary of the license needs for the various Splunk Enterprise component types.

Component type License type Notes
Indexer Enterprise
Search head Enterprise
Deployment server Enterprise
Indexer cluster manager node Enterprise
Search head cluster deployer Enterprise
Monitoring console Enterprise
Universal forwarder Forwarder
Light forwarder Forwarder
Heavy forwarder Enterprise or Forwarder Heavy forwarders that index data or use other Splunk Enterprise features need access to an Enterprise license.

Components and licensing issues


The Indexers index, store, and search external data.

To participate in a distributed deployment, indexers need access to an Enterprise license. The data that indexers ingest is metered against the license.

Search heads

A search head is a Splunk Enterprise instance that manages searches.

Search heads need access to an Enterprise license.


Forwarders ingest data and forward that data to another forwarder or an indexer. Because data is not metered until it is indexed, forwarders do not incur license usage.

In most distributed deployments, forwarders only need a Forwarder license.

There are several types of forwarders:

  • The universal forwarder has the Forwarder license applied automatically.
  • The light forwarder must be changed manually to another license type. You can use the Forwarder license, but you must manually enable it by changing to the Forwarder license group.
  • The heavy forwarder must be changed manually to another license type. If the heavy forwarder will be performing indexing or using other Enterprise features, it must be connected to a license manager node.

A forwarder can use the Free license instead of a Forwarder license, but some critical functionality is unavailable with a Free license. For example, a forwarder using a Free license cannot be a deployment client and it does not offer any authentication.

Management components

All Splunk Enterprise instances functioning as management components need access to an Enterprise license.

Management components include the deployment server, the indexer cluster manager node, the search head cluster deployer, and the monitoring console. For information on management components, see Components that help to manage your deployment.

Clustered deployments and licensing issues

Indexer cluster nodes

Each indexer cluster node requires an Enterprise license. There are a few license issues that are specific to indexer clusters:

  • Cluster nodes must all share the same licensing configuration.
  • Only incoming data counts against the license; replicated data does not.

Search head cluster members

Each search head cluster member needs access to an Enterprise license. The search head cluster deployer, which distributes apps to the members, also needs access to an Enterprise license.

Last modified on 15 November, 2023
Types of Splunk Enterprise licenses   Allocate license volume

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters