More about Splunk Free

More about Splunk Free

Splunk Free is a totally free (as in beer) version of Splunk. It allows you to index up to 500MB/day and will never expire. If you go over 500MB/day more than 3 times in a 30 day period, Splunk will continue to index your data, but search will be disabled until you are back down to 3 or fewer times in the 30 day period.

What's it for?

Splunk Free is designed for personal, ad-hoc search and visualization of IT data. You can use Splunk Free for ongoing indexing of small volumes (<500MB/day) of data. Additionally, you can use it for short-term bulk-loading and analysis of larger data sets--Splunk Free allows you to bulk-load much larger data sets up to 3 times within a 30 day period. This can be useful for forensic review of large data sets.

What is and isn't enabled

Splunk Free is a single-user product. All of Splunk's features are supported with the exception of:

• Multiple user accounts and role-based access controls (there's no authentication when using Splunk Free)
• Distributed search
• Forwarding in TCP/HTTP formats (you can forward data to other Splunk instances, but not to non-Splunk instances)
• Deployment management
• Scheduled saved searches (including summary indexing) and alerting/monitoring

Switching to Free from an Enterprise (Trial) License

When you first download and install Splunk, you are automatically using an Enterprise Trial license. You can continue to use the Enterprise Trial License until it expires, or switch to the Free license right away, depending on your requirements.

Splunk Enterprise Trial gives you access to a number of features that are not available in Splunk Free. When you switch, be aware of the following:

• User accounts or roles that you've created will no longer work.
• Anyone connecting to the instance will automatically be logged on as 'admin'. You will no longer see a login screen, though you will see the update check occur.
• Any knowledge objects created by any user other than 'admin' (such as event type, transaction, or source type definitions) and not already globally shared will not be available. If you need these knowledge objects to continue to be available after you switch to Splunk Free, you can either
  • use Manager to promote them to be globally available before you switch using the information in this topic or
  • hand edit the configuration files they are in to promote them as described here
• Scheduled searches you've set up (including alerts and summary indexing searches) will no longer fire/function.
  • you will no longer receive alerts from Splunk
  • searches and reports expecting summary indexes may be inaccurate, or return no results
  • dashboards that use search artifacts (such as via HiddenSavedSearch) will run the searches when you load them
• Configurations in outputs.conf to forward to third-party applications in TCP or HTTP formats will stop working.

When you attempt to make any of the above configurations in Manager while using an Enterprise Trial, you will be warned about the above limitations in a Free Splunk.

How do I switch to Splunk Free?

If you currently have Splunk Enterprise (trial or not), you can either wait for your Enterprise License to expire, or switch to a Free License at any time. To switch to a Free License:

1. Log in to Splunk Web as a user with admin privileges and navigate to Manager > License.

2. Review the text below the License and usage area, find the switch to a free license link, and click it. A login page is displayed.

3. Select Switch to Free License and click Continue.

4. You are prompted to reboot.