Licenses and distributed deployments
Distributed Splunk Enterprise deployments consist of multiple Splunk Enterprise instances. Separate instances perform various functions such as indexing and search management. Each instance is categorized as one or more component types, based on the functions that it performs. See Scale your deployment with Splunk Enterprise components and Components that help to manage your deployment in Distributed Deployment. In most cases, an instance serves as just a single component, but it is possible for an instance sometimes to combine the functionality of several components.
This topic does not pertain to standalone Splunk Enterprise deployments, which consist of a single Splunk Enterprise instance plus forwarders. For a standalone deployment, simply install the appropriate license directly on the instance. See Install a license.
All Splunk software instances must have a license.
- Splunk Enterprise instances need access to an Enterprise license unless they are functioning only as forwarders. The license access is required even when they do not index external data. Access to specific features of a distributed deployment, such as distributed search and deployment server are only available with Enterprise licenses. The recommended way to connect instances to an Enterprise license is to associate the instance with a license manager. See Configure a license peer.
- Universal forwarders only need a Forwarder license. If a heavy forwarder is performing additional functions such as indexing data or managing searches, it requires access to an Enterprise license.
This table provides a summary of the license needs for the various Splunk Enterprise component types.
|Component type||License type||Notes|
|Indexer cluster manager node||Enterprise|
|Search head cluster deployer||Enterprise|
|Heavy forwarder||Enterprise or Forwarder||Heavy forwarders that index data or use other Splunk Enterprise features need access to an Enterprise license.|
Components and licensing issues
The Indexers index, store, and search external data.
To participate in a distributed deployment, indexers need access to an Enterprise license. The data that indexers ingest is metered against the license.
A search head is a Splunk Enterprise instance that manages searches.
Search heads need access to an Enterprise license.
Forwarders ingest data and forward that data to another forwarder or an indexer. Because data is not metered until it is indexed, forwarders do not incur license usage.
In most distributed deployments, forwarders only need a Forwarder license. See Forwarder license.
There are several types of forwarders:
- The universal forwarder has the Forwarder license applied automatically.
- The light forwarder must be changed manually to another license type. You can use the Forwarder license, but you must manually enable it by changing to the Forwarder license group.
- The heavy forwarder must be changed manually to another license type. If the heavy forwarder will be performing indexing or using other Enterprise features, it must be connected to a license manager node.
A forwarder can use the Free license instead of a Forwarder license, but some critical functionality is unavailable with a Free license. For example, a forwarder using a Free license cannot be a deployment client and it does not offer any authentication.
All Splunk Enterprise instances functioning as management components need access to an Enterprise license.
Management components include the deployment server, the indexer cluster manager node, the search head cluster deployer, and the monitoring console. For information on management components, see Components that help to manage your deployment.
Clustered deployments and licensing issues
Indexer cluster nodes
Each indexer cluster node requires an Enterprise license. There are a few license issues that are specific to indexer clusters:
- Cluster nodes must all share the same licensing configuration.
- Only incoming data counts against the license; replicated data does not.
Search head cluster members
Each search head cluster member needs access to an Enterprise license. The search head cluster deployer, which distributes apps to the members, also needs access to an Enterprise license.
Types of Splunk Enterprise licenses
Allocate license volume
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.1.0, 9.1.1