Support
Support Portal

Submit a case ticket

Splunk Answers

Ask Splunk experts questions

Support Programs

Find support service offerings

System Status

View detailed status

Contact Us

Contact our customer support

Product Security Updates

Keep your data secure
Languages
Click User Account
- Log In
- Sign Up
- My Dashboard
- Instances
- My Training
- Logout

Products
Product Overview
A data platform built for expansive data access, powerful analytics and automation
Learn More

MORE FROM SPLUNK

Pricing

Free Trials & Downloads
Platform

Splunk Cloud Platform

Cloud-powered insights for petabyte-scale data analytics across the hybrid cloud

Splunk Enterprise

Search, analysis and visualization for actionable insights from all of your data

Security

Splunk Enterprise Security

Analytics-driven SIEM to quickly detect and respond to threats

Splunk SOAR

Security orchestration, automation and response to supercharge your SOC

Observability

Splunk Infrastructure Monitoring

Instant visibility and accurate alerts for improved hybrid cloud performance

Splunk Application Performance Monitoring

Full-fidelity tracing and always-on profiling to enhance app performance

Splunk IT Service Intelligence

AIOps, incident intelligence and full visibility to ensure service performance
View All Products
Solutions
KEY INItiatives

Cloud Transformation

Transform your business in the cloud with Splunk.

Business Resilience

Build resilience to meet today’s unpredictable business challenges.

Digital Customer Experience

Deliver the innovative and seamless experiences your customers expect.
by Use Case

Advanced Threat Detection

Application Modernization

Cloud Migration

Incident Investigation & Forensics

IT Modernization

SOC Automation & Orchestration

BY TECHNOLOGY

AWS

Azure

GCP

Kubernetes

OpenTelemetry

SAP

BY INDUSTRY

Aerospace & Defense

Energy & Utilities

Financial Services

Healthcare

Higher Education

Public Sector
View All Solutions
Why Splunk?
Why Splunk?
Bring data to every question, decision and action across your organization.
Learn More
Customer Stories

See why organizations around the world trust Splunk.

Partners

Accelerate value with our powerful partner ecosystem.

Diversity, Equity & Inclusion

Learn how we support change for customers and communities.
Resources
MORE FROM SPLUNK

Resources
Explore e-books, white papers and more.

Events
Join us at an event near you.

Blogs
See what Splunk is doing.
GET STARTED

Splunk Lantern

Splunk experts provide clear and actionable guidance.

Customer Success

Customer success starts with data success.

Splunk Cloud Platform Migration

Plan your migration with helpful Splunk resources.

Get Started With Splunk

Learn how to use Splunk.

Data Insider

Read focused primers on disruptive technology topics.

become an expert

Splunk Training & Certification

Become a certified Splunk Expert.

Documentation

Find answers about how to use Splunk.

User Groups

Meet Splunk enthusiasts in your area.

Community

Share knowledge and inspiration.

SURGe

Access timely security research and guidance.

Expand & optimize

Services & Support

It’s easy to get the help you need.

Splunkbase

See Splunk’s 1,000+ Apps and Add-ons.

Splunk Dev

Create your own Splunk Apps.

Offering	Capacity	Limitations
Splunk Enterprise	Daily Indexing Volume or number of vCPUs as set forth in the Order “Daily Indexing Volume” means the daily aggregate volume of uncompressed data for indexing as set forth in the Order “*vCPUs*” refers to the virtual CPUs to which Software has access. Each virtual CPU is equivalent to a distinct hardware thread of execution in a physical CPU core. Note: For metrics indexing, the Daily Indexing Volume will be calculated by converting each measurement into GB of daily ingestion using a fixed ratio as described in the software documentation.
Splunk Cloud Platform	Daily Indexing Volume or number of Splunk Virtual Compute (“SVC”) *"Splunk Virtual Compute (SVC)"* means a unit of capabilities in Splunk Cloud Platform that includes the following resources: compute, memory and I/O as further explained in the service documentation.
Splunk Enterprise Rapid Adoption Packages	Number of Use Cases identified in the Order “Use Cases” are defined and listed here: https://www.splunk.com/en_us/legal/use-case-definitions.html Note: The Rapid Adoption Packages can be purchased in connection with Splunk Cloud Platform as well.	Maximum Daily Index Volume permitted: 25GB (regardless of number of Use Cases) Deployment type: Limited to a single instance deployment Not stackable with other Splunk licenses
Splunk Enterprise for DNS & Netflow Data	Daily Indexing Volume Note: This limited source-type license is also available for Splunk Enterprise Security and Splunk IT Service Intelligence.	Limited Source Types: This license will allow Customers to index the specified Daily Indexing Volume of DNS, Netflow, and/or public cloud access data in any combination of the following data source types: aws:vpc:flowlogs aws:cloudwatchlogs:vpcflow mscs:nsg:flow zeek_conn and/or bro_conn zeek:conn:json and/or bro:conn:json zeek_dns and/or bro_dns zeek:dns:json and/or bro:dns:json dns and/or DNS (i.e. any source type containing the string dns) corelight_conn corelight_conn_red flowintegrator netflow sflow jflow This license can be combined with other daily indexing volume-based Splunk Enterprise licenses. Any ingest of these specific source types in excess of the Daily Indexing Volume of this license will be counted against the general ingest license capacity of Splunk Enterprise.
Splunk Enterprise for Cisco AnyConnect NVM	Number of Endpoints	Limited Source Types: This license will allow users to index only Cisco AnyConnect Network Visibility Module (NVM) source type data. This source type restricted license can be stacked on other non-source type restricted licenses. This license is available exclusively from Cisco Systems. Each Endpoint allows indexing of 10MB/day.
Splunk Analytics for Hadoop	Maximum number of Nodes or Fractional Use of Nodes from which data can be sourced to be analyzed and visualized, as identified in the applicable Order (Note: Data in a Node that has already been indexed by Splunk Enterprise (or Splunk Cloud Platform) will not be counted toward the paid volume.) “Node” means a 64 bit Linux operating system or any other operating system identified in the documentation that runs Hadoop TaskTracker or Node Manager to execute Splunk jobs on Hadoop nodes. “Fractional Use of Nodes” means the greater of compute load or applicable storage of the number of Nodes in Cluster(s) for a specific use case or business unit, as identified in an Order. “Cluster” means a group of Nodes administered by one Hadoop JobTracker or Hadoop Resource Manager.	Maximum of five (5) Nodes from which data can be sourced to be analyzed and visualized
Splunk Data Stream Processor (Splunk DSP)	Number of vCPUs as set forth in the Order Note: For the avoidance of doubt, data ingested into Splunk Enterprise through Splunk DSP counts against the license capacity of Splunk Enterprise.
Splunk Enterprise Security	Daily Indexing Volume or number of vCPUs as set forth in the Order Note: When consumed within Splunk Cloud Platform, SVC is also available.
Splunk User Behavior Analytics (Splunk UBA)	Number of User Behavior Analytics Monitored Accounts. “Number of User Behavior Analytics Monitored Accounts” means the number of user and service accounts in Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP) or any similar service that is used to authenticate users inside the network; or Daily Indexing Volume. This option is restricted to UBA licenses purchased as an add-on license to Splunk Enterprise Security.	For the latter option, the maximum Daily Indexing Volume is limited to the same data being indexed into Splunk Enterprise Security or a subset thereof and the maximum Number of User Behavior Analytics Monitored Accounts is limited to 250,000.
Splunk Phantom	Number of Events. “Event” means a single event or grouping of discrete information regarding an event sent to the Software to act on; or Number of User Seats. “User Seats” means the user accounts created for the Software	Maximum Number of Events per 24-hour period measured using Coordinated Universal Time Each distinct user account may be used only by a single user at a time. (i.e., simultaneous logins by multiple users leveraging the same user account is disallowed). Limited Use Case: For an end user’s internal security purposes only
Splunk Mission Control	Number of User Seats Note: A certain number of User Seats of Splunk Mission Control will be entitled to customers of Splunk Enterprise Security based on their current license entitlement of Splunk Enterprise Security. Learn more at Seat Entitlement.	Available on a limited basis to customers of Splunk Enterprise Security (either as a stand-alone product or part of a suite) To be used for security use cases only.
Splunk SOAR Cloud	Number of User Seats (as defined above in Splunk Phantom).	Each distinct user account may be used only by a single user (i.e., simultaneous logins by multiple users leveraging the same user account is disallowed).
Splunk App for PCI Compliance	Daily Indexing Volume Note: When consumed within Splunk Cloud Platform, SVC is also available.
Splunk Insights for Ransomware	Number of Ransomware Monitored Accounts. “Number of Ransomware Monitored Accounts” means the number of user and service accounts in Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP) or any similar service that is used to authenticate users inside the network.	Limited Use Case: To detect if any ransomware is present, attempting to be present or attempting to be disseminated in the designated end user’s environment. Not stackable with other Splunk licenses.
Splunk IT Service Intelligence (Splunk ITSI)	Daily Indexing Volume or number of vCPUs as set forth in the Order Note: When consumed within Splunk Cloud Platform, SVC is also available.
Splunk Insights for Infrastructure	Volume of data stored	Storage Limits: Once storage limit is reached, any new data stored will replace the earliest stored data in amounts needed to place total storage at or below the storage limit (First In, First Out). Not stackable with other Splunk licenses.
Splunk On-Call	Number of Users	https://www.splunk.com/en_us/software/pricing/faqs/observability.html#splunk-on-call
Splunk Infrastructure Monitoring (“Splunk IM”)	For host-based pricing: Number of Hosts and associated entitlements of Containers, Custom Metrics, and High Resolution Metrics as indicated in the Order For usage-based pricing: MTS (Metric Time Series) as measured by the unique combination of a metric and a set of associated dimensions as indicated in the Order Note: See Specific Offering Terms at www.splunk.com/SpecificTerms for definitions.	Usage and subscription limit enforcement are described here
Splunk APM	For host-based pricing: Number of Hosts and associated entitlements of Containers, Profiled Containers, Monitoring MetricSets, Troubleshooting MetricSets, Trace Volume, and Profiling Volume as indicated in the Order For usage-based pricing: Number of TAPM (Trace Analyzed Per Minute) and associated entitlements of Monitoring MetricSets, Troubleshooting MetricSets, Trace Volume, and Profiling Volume as indicated in the Order Note: See Specific Offering Terms at www.splunk.com/SpecificTerms for definitions	Usage and subscription limit enforcement are described here
Splunk Synthetic Monitoring	Number of Browser Test Runs per month A “*Browser Test Run” refers to each simulation of a full business transaction or user journey (up to a maximum of 25 steps) using a full web browser. For example, a test with 26 steps that is run every 5 minutes (12 times per hour) from 3 locations per test will count as 72 Browser Test Runs per hour. Number of API Test Runs per month An “API Test Run” refers to a request of a single API endpoint. For multistep API Tests, each request counts as an individual API Test Run. For example, a three request API Test running once a minute consumes 180 API Test Runs per hour. Number of Uptime Test Runs per month An “Uptime Test Run” refers to a request of a single URL to check for availability of a website or application. For example, an Uptime Test running once a minute consumes 60 Uptime Test Runs per hour. Number of Web Optimization Scans per month A “Web Optimization Scan”* refers to a single performance evaluation of a single webpage.	Usage and subscription limit enforcement are described here
Splunk Log Observer	For host-based pricing: Number of Hosts For usage-based pricing: Volume of Indexed Data or Ingested Data “Indexed Data” means logs that are parsed, extracted and indexed for fast querying “Ingested Data” means logs that are stored in Customer’s object store and not queried Note: See Specific Offering Terms at www.splunk.com/SpecificTerms for definitions	Usage and subscription limit enforcement are described here Available only to customers of Splunk IM, Splunk APM or Splunk Observability Cloud 30-day retention for Indexed Data. Options to expand to 60-day or 90-day retention for Indexed Data.
Splunk Real User Monitoring (“Splunk RUM”)	Sessions per month A “Session” refers to a group of user interactions on an application (for a maximum of 4 hours). A Session begins when a user loads the front-end application and ends when the application is terminated or expires. Sessions will also expire after 15 minutes of inactivity.	Usage and subscription limit enforcement are described here
Splunk Observability Cloud	Number of Hosts Note: See Specific Offering Terms at www.splunk.com/SpecificTerms for additional definitions	Per Host entitlements are described here.

Prior versions of SPLUNK OFFERINGS

Contact Sales

Splunk Offerings Purchase Capacity and Limitations