SPLUNK OFFERINGS
Purchase Capacity and Limitations
Offering Capacity Limitations
Splunk Enterprise

Daily Indexing Volume or number of vCPUs as set forth in the Order

Daily Indexing Volume” means the daily aggregate volume of uncompressed data for indexing as set forth in the Order

vCPUs” refers to the virtual CPUs to which Splunk Enterprise software has access.  Each virtual CPU is equivalent to a distinct hardware thread of execution in a physical CPU core.

Note: For metrics indexing, the Daily Indexing Volume will be calculated by converting each measurement into GB of daily ingestion using a fixed ratio as described in the software documentation.

 
Splunk Cloud

Daily Indexing Volume or number of Splunk Virtual Compute (“SVC”)

"Splunk Virtual Compute (SVC)" means a unit of capabilities in Splunk Cloud that includes the following resources: compute, memory and I/O as further explained in the service documentation.

NOTE: Splunk Cloud is also available as part of Splunk Cloud Foundations, which can be purchased based on the number of SVCs. Please learn more here.

Splunk Enterprise Rapid Adoption Packages

Number of Use Cases identified in the Order

Use Cases” are defined and listed here: https://www.splunk.com/en_us/legal/use-case-definitions.html

Note: The Rapid Adoption Packages can be purchased in connection with Splunk Cloud as well.

Maximum Daily Index Volume permitted: 25GB (regardless of number of Use Cases)

Deployment type: Limited to a single instance deployment

Not stackable with other Splunk licenses

Splunk Enterprise for DNS & Netflow Data

Daily Indexing Volume

Note: This limited source-type license is also available for Splunk Enterprise Security and Splunk IT Service Intelligence.

Limited Source Types: This license will allow Customers to index the specified Daily Indexing Volume of DNS, Netflow, and/or public cloud access data in any combination of the following data source types:

  • aws:vpc:flowlogs
  • aws:cloudwatchlogs:vpcflow
  • mscs:nsg:flow
  • zeek_conn and/or bro_conn
  • zeek:conn:json and/or bro:conn:json
  • zeek_dns and/or bro_dns
  • zeek:dns:json and/or bro:dns:json
  • *dns* and/or *DNS* (i.e. any source type containing the string dns)
  • flowintegrator
  • *netflow*
  • *sflow*
  • *jflow*

This license can be combined with other daily indexing volume-based Splunk Enterprise licenses.

Any ingest of these specific source types in excess of the Daily Indexing Volume of this license will be counted against the general ingest license capacity of Splunk Enterprise.

Splunk Enterprise for Cisco AnyConnect NVM Number of Endpoints

Limited Source Types: This license will allow users to index only Cisco AnyConnect Network Visibility Module (NVM) source type data. This source type restricted license can be stacked on other non-source type restricted licenses.

This license is available exclusively from Cisco Systems.

Splunk Analytics for Hadoop

Maximum number of Nodes or Fractional Use of Nodes from which data can be sourced to be analyzed and visualized, as identified in the applicable Order (NOTE: Data in a Node that has already been indexed by Splunk Enterprise (or Splunk Cloud) will not be counted toward the paid volume.)

Node” means a 64 bit Linux operating system or any other operating system identified in the documentation that runs Hadoop TaskTracker or Node Manager to execute Splunk jobs on Hadoop nodes.

Fractional Use of Nodes” means the greater of compute load or applicable storage of the number of Nodes in Cluster(s) for a specific use case or business unit, as identified in an Order.

Cluster” means a group of Nodes administered by one Hadoop JobTracker or Hadoop Resource Manager.

Maximum of five (5) Nodes from which data can be sourced to be analyzed and visualized
Splunk Data Fabric Search (Splunk DFS)

Number of vCPUs as set forth in the Order

vCPUs” refers to the virtual CPUs to which Splunk DFS software has access. Each virtual CPU is equivalent to a distinct hardware thread of execution in a physical CPU core.

Note: Customers using Splunk Enterprise 8.0, or later, will be entitled to a license for a certain number of vCPUs for Splunk DFS depending on the current active entitlement of Splunk Enterprise. Learn more at https://www.splunk.com/en_us/legal/splunk-data-fabric-search-vcpu-information.html

 
Splunk Data Stream Processor (Splunk DSP)

Number of vCPUs as set forth in the Order

vCPUs” refers to the virtual CPUs to which Splunk DSP software has access. Each virtual CPU is equivalent to a distinct hardware thread of execution in a physical CPU core.

Note: For the avoidance of doubt, data ingested into Splunk Enterprise through Splunk DSP counts against the license capacity of Splunk Enterprise.

 
Splunk Enterprise Security

Daily Indexing Volume or number of Protected Devices or vCPUs as set forth in the Order

Protected Device” means any device on the customer network whose IP address is referenced in any data ingested into Splunk platform. It is not just the devices sending logs to Splunk but also the devices that are mentioned in the logs. For example, a firewall supporting 1,000 desktop PC’s connecting to the Web would be 1,001 devices total, as each desktop PC will be referenced in the firewall events, even though all those events are being sent from the single firewall device to Splunk.

 

Note: Existing customers can increase their license capacity based on the number of SVCs they have purchased.

 
Splunk User Behavior Analytics (Splunk UBA)

Number of User Behavior Analytics Monitored Accounts.

Number of User Behavior Analytics Monitored Accounts” means the number of user and service accounts in Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP) or any similar service that is used to authenticate users inside the network; or

Daily Indexing Volume. This option is restricted to UBA licenses purchased as an add-on license to Splunk Enterprise Security.

For the latter option, the maximum Daily Indexing Volume is limited to the same data being indexed into Splunk Enterprise Security or a subset thereof and the maximum Number of User Behavior Analytics Monitored Accounts is limited to 250,000.
Splunk Phantom

Number of Events. “Event” means a single event or grouping of discrete information regarding an event sent to the Software to act on; or

Number of User Seats. “User Seats” means the user accounts created for the Software

Maximum Number of Events per 24-hour period measured using Coordinated Universal Time

Each distinct user account may be used only by a single user at a time.

Limited Use Case: For an end user’s internal security purposes only

A “Warm Standby License” may be used only for production failover purposes and may not be deployed concurrently in production with, or at a greater capacity than, the appurtenant primary license and cannot be used as an active platform for any reason unless a failover has occurred.

Splunk Mission Control

Number of User Seats

Note: A certain number of User Seats of Splunk Mission Control will be entitled to customers of Splunk Enterprise Security based on their current license entitlement of Splunk Enterprise Security. Learn more at Seat Entitlement.

Available only to customer of Splunk Enterprise Security

To be used for security use cases only.

Splunk App for PCI Compliance

Daily Indexing Volume

Note: When consumed within Splunk Cloud, SVC is also available.

 
Splunk Insights for Ransomware

Number of Ransomware Monitored Accounts.

Number of Ransomware Monitored Accounts” means the number of user and service accounts in Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP) or any similar service that is used to authenticate users inside the network.

Limited Use Case: To detect if any ransomware is present, attempting to be present or attempting to be disseminated in the designated end user’s environment.

Not stackable with other Splunk licenses.

Splunk IT Service Intelligence (Splunk ITSI)

Daily Indexing Volume or number of Managed Entities or vCPUs as set for the in the Order

Number of “Managed Entities” refers to the total number of Hosts (as defined below in IT Cloud) and Assets.  An "Asset" refers to any device or asset with an IP address (e.g., VoIP system, LDAP directory, VPNs, switches, routers) or API endpoints (e.g., serverless functions, Active Directories, M365 service, or Twitter feed) sending data directly to Splunk but that is not already counted as a Host.

Note: Existing customers can increase their license capacity based on the number of SVCs they have purchased.  

 
Splunk Insights for Infrastructure

Volume of data stored

Storage Limits: Once storage limit is reached, any new data stored will replace the earliest stored data in amounts needed to place total storage at or below the storage limit (First In, First Out).

Not stackable with other Splunk licenses.

Splunk Business Flow

Number of Flow Models as set forth in the Order

Flow Model” refers to a grouping of discrete information which represents a transaction, session, or other business process that is configured within Splunk Business Flow.

Customers will receive a number of unpaid Private Flow Models equal to twice the number of purchased Flow Models. Private Flow Models may only be used by administrators for testing, configuration and preview of Flow Models.

Note: For the avoidance of doubt, data ingested to populate Flow Models counts against the license capacity of Splunk Enterprise.

 
Splunk App for Microsoft Exchange

Daily Indexing Volume

 
Splunk App for VMware

Daily Indexing Volume

 
Splunk Insights for AWS Cloud Monitoring

Daily Indexing Volume

Maximum number of users permitted: 5
Splunk for Industrial IoT

Number of Sensors as set forth in the Order

A “Sensor” refers to a unit that streams a single type of numerical time-stamped data from an asset, application or other entity into the Software. A Sensor is measured as a unique combination of 'metric_name' and 'asset' that is ingested into Splunk's metrics index in the past 24 hours.

For every 1000 Sensors licensed, users are entitled to 6GB of Daily Indexing Volume to index unstructured data in Splunk’s event index.

Note: There is no limit on the volume of Sensor data ingested into Splunk’s metric index, irrespective of the conversion of metric measurement as described in the software documentation.

Not stackable with other Splunk licenses
Splunk On-Call

Number of Users

https://victorops.com/pricing
Splunk Infrastructure Monitoring (“Splunk IM”)

For host-based pricing: Number of Hosts, Containers, Custom Metrics, or High Resolution Metrics as indicated in the Order

For usage-based pricing: MTS (Metric Time Series) as measured by the unique combination of a metric and a set of associated dimensions as indicated in the Order

Note: See Specific Hosted Services Terms at www.splunk.com/SpecificTerms for definitions.

https://www.splunk.com/en_us/software/pricing/faqs/devops.html#SignalFx-IM
Splunk APM

For host-based pricing: Number of Hosts and associated entitlements of Containers, Monitoring MetricSets, Troubleshooting MetricSets, and Trace Volume as indicated in the Order

For usage-based pricing: Number of TAPM (Trace Analyzed Per Minute) and associated entitlements of Monitoring MetricSets, Troubleshooting MetricSets, and Trace Volume as indicated in the Order

Note: See Specific Hosted Services Terms at www.splunk.com/SpecificTerms for definitions

https://www.splunk.com/en_us/software/pricing/faqs/devops.html#SignalFx-APM

SignalFX Microservices APM PG (Previous Generation)

For host-based pricing: Number of Hosts, Containers, APM Identities, and Traces Retained Per Minute as indicated in the Order

For usage-based pricing: the rate of data analyzed by Splunk APM as measured by TAPM (Trace Analyzed Per Minute), APM Identities, and Traces Retained Per Minute as indicated in the Order


Note: See Specific Hosted Services Terms at www.splunk.com/SpecificTerms for definitions


 

Available only to current customers of SignalFx Microservices APM PG who also have subscription to Splunk IM

 

Splunk Synthetics

Number of Browser Test Runs

A “Browser Test Run” refers to each simulation of a full business transaction or user journey (up to a maximum of 25 steps). For example, a test with 26 steps that is run every 5 minutes (12 times per hour) from 3 locations per test will count as 72 Browser Test Runs per hour.


Number of API Test Runs


An “API Test Run” refers to a request of a single endpoint or URL using uptime tests or API tests. For multistep API tests, each request counts as an individual API Test Run. For example, a three request API Test running once a minute consumes 180 API Test Runs per hour.

 

 
Splunk IT Cloud

Number of Hosts

 

Host” means a virtual machine or physical server with a dedicated operating system up to 64 GB of memory

 

Note: See Specific Hosted Services Terms at www.splunk.com/SpecificTerms for additional definitions

Per Host entitlements are described here  

Splunk Security Cloud Number of Protected Devices (as defined in Splunk Enterprise Security above) Per Protected Device entitlements are described