Each instance of Splunk server must have its own license. This topic discusses the different Splunk licenses, how to install or update a license, and what to do when you have a violation on your license.
Note: You must purchase a separate license for every instance of Splunk with an Enterprise license that you deploy.
Splunk provides two standard types of licenses, an Enterprise license, and a Free license.
When you download Splunk for the first time, you are asked to register. Your registration authorizes you to receive an Enterprise trial license, which allows a maximum indexing volume of 500 MB/day. The Enterprise trial license expires 60 days from download.
If you are running with an Enterprise license and your license expires or you exceed your allowed indexing volume more than 5 times in a 30 day period, Splunk continues to index your data. However, you will not be able to search until you either install a new license, switch to the Free license, or your number of license violations drops below 5 times in a 30 day period.
Once you have installed Splunk, you can choose to run Splunk with the Enterprise trial license until it expires, purchase an Enterprise license, or switch to the Free license, which is included.
The Free license is not a trial license and does not have an expiration date. It also allows 500MB/day of indexing volume, but the following features that are available with the Enterprise license are disabled:
Learn more about Splunk with a Free license
Find more information about the different license features here. Also, read Splunk's Free license agreement.
You can request trial Enterprise licenses of varying size and duration. The default evaluation period is 60 days. If you are preparing a pilot for a large deployment and have requirements for a longer duration or higher indexing volumes during your trial, contact Splunk Sales with your request.
Splunk's Preview releases require a different license that is not compatible with other Splunk releases. If you are evaluating a Preview release of Splunk, it will not run with a Free or Enterprise license. Preview licenses typically enable Enterprise features, they are just restricted to Preview releases. If you are evaluating a Preview version of Splunk, it will come with its own license.
Each instance of Splunk must have its own license. Splunk includes a forwarder license that you must install on each Splunk forwarder. This 1 MB/day forward-only license is not subtracted from your existing license(s) and can be applied to multiple forwarders.
A license isn't required to enable forwarding, but enables security on the forwarder so that users must supply username and password to access it.
A forwarder license is included with the product. You do not need to contact Sales or Support to request this license.
1. Stop Splunk (./splunk stop)
2. Copy $SPLUNK_HOME/etc/splunk-forwarder.license to
$SPLUNK_HOME/etc/splunk.license
3. Start Splunk (./splunk start) This license does not limit how much data you can forward from that machine.
Note: This 1 MB/day forward-only license is not subtracted from your existing license(s) and can be applied to multiple forwarders.
All Splunk servers have a license located in $SPLUNK_HOME/etc/, whether it is a Free license (splunk-free.license) or an Enterprise license (splunk.license). You can install and update your licenses with the CLI or using Splunk Web.
1. Log into Splunk Web as the admin user.
2. Click Manager>License.
3. Click Change License.
4. Paste in your license key and click Save.
5. Return to the main Manager tab and click Restart Splunk.
Starting with 4.0.2, by default when you start Splunk for the first time, it moves aside any existing 3.x license and replaces it with a temporary Enterprise trial license. This allows you to bring up the new version of Splunk without having your license be expired until you get your new one copied in.
If you are migrating to Splunk 4.0.2 or later and have a valid 4.x license, you can pre-seed the license file so that it pulls in and installs your new license the first time you start Splunk 4. This is useful if you have to deploy multiple instances and don't want to have to manually copy the new license in after starting Splunk on each machine.
If you're making a deployable package, you can include the splunk-user.license file with your updated license in it before you tar/zip it up for deployment to other systems.
Violations occur when you exceed the maximum indexing volume allowed for your license. If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have more than 5 violations in a rolling 30-day period, search will be disabled. Search capabilities return when you have less than 5 violations in the previous 30 days or when you apply a new license with a larger volume limit.
Note: During a license violation period, Splunk does not stop indexing your data. Splunk only blocks search access while you exceed the allowed number of license violations.