SPLUNK PRODUCTS
Licensed Capacity and Limitations
Product |
Licensed Capacity |
License Limitations |
Splunk Enterprise & Splunk Light |
“Daily Indexing Volume” means the daily aggregate volume of uncompressed data for indexing as set forth in the Order Note: For metrics indexing, the Daily Indexing Volume will be calculated by converting each measurement into GB of daily ingestion using a fixed ratio as described in the software documentation |
Maximum number of users permitted for Splunk Light: 5 Deployment type for Splunk Light: Limited to a single instance deployment |
Splunk Enterprise Rapid Adoption Packages |
Number of Use Cases identified in the Order “Use Cases” are defined and listed here: https://www.splunk.com/en_us/legal/use-case-definitions.html |
Maximum Daily Index Volume permitted: 25GB (regardless of number of Use Cases) Deployment type: Limited to a single instance deployment Not stackable with other Splunk licenses |
Splunk Enterprise for DNS & Netflow Data |
Daily Indexing Volume |
Limited Source Types: This license will allow Customers to index the specified Daily Indexing Volume of DNS, Netflow, and/or public cloud access data in any combination of the following data source types:
This license can be combined with other general licenses of Splunk Enterprise. Any ingest of these specific source types in excess of the Daily Indexing Volume of this license will be counted against the general ingest license capacity of Splunk Enterprise. |
Splunk Enterprise for Cisco AnyConnect NVM |
Number of Endpoints |
Limited Source Types: This license will allow users to index only Cisco AnyConnect Network Visibility Module (NVM) source type data. This source type restricted license can be stacked on other non-source type restricted licenses. This license is available exclusively from Cisco Systems. |
Splunk Analytics for Hadoop |
Maximum number of Nodes or Fractional Use of Nodes from which data can be sourced to be analyzed and visualized, as identified in the applicable Order (NOTE: Data in a Node that has already been indexed by Splunk Enterprise (or Splunk Light or Splunk Cloud) will not be counted toward the paid volume.) |
Maximum of five (5) Nodes from which data can be sourced to be analyzed and visualized |
Splunk Enterprise Security |
Daily Indexing Volume |
|
Splunk IT Service Intelligence (Splunk ITSI) |
Daily Indexing Volume |
|
Splunk User Behavior Analytics (Splunk UBA) |
Number of User Behavior Analytics Monitored Accounts. “Number of User Behavior Analytics Monitored Accounts” means the number of user and service accounts in Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP) or any similar service that is used to authenticate users inside the network; or Daily Indexing Volume. This option is restricted to UBA licenses purchased as an add-on license to Splunk Enterprise Security. |
For the latter option, the maximum Daily Indexing Volume is limited to the same data being indexed into Splunk Enterprise Security or a subset thereof and the maximum Number of User Behavior Analytics Monitored Accounts is limited to 250,000. |
Splunk App for PCI Compliance |
Daily Indexing Volume |
|
Splunk App for Microsoft Exchange |
Daily Indexing Volume |
|
Splunk App for VMware |
Daily Indexing Volume |
|
Splunk Insights for Ransomware |
Number of Ransomware Monitored Accounts. “Number of Ransomware Monitored Accounts” means the number of user and service accounts in Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP) or any similar service that is used to authenticate users inside the network. |
Limited Use Case: To detect if any ransomware is present, attempting to be present or attempting to be disseminated in the designated end user’s environment. Not stackable with other Splunk licenses. |
| Splunk Insights for AWS Cloud Monitoring | Daily Indexing Volume |
Maximum number of users permitted: 5 |
Splunk Insights for Infrastructure |
Volume of data stored |
Storage Limits: Once storage limit is reached, any new data stored will replace the earliest stored data in amounts needed to place total storage at or below the storage limit (First In, First Out). Not stackable with other Splunk Licenses |
Splunk Phantom |
Number of Events. “Event” means a single event or grouping of discrete information regarding an event sent to the Software to act on; or Number of User Seats. “User Seats” means the user accounts created for the Software |
Maximum Number of Events per 24 hour period measured using Coordinated Universal Time Each distinct user account may be used only by a single user at a time. Limited Use Case: For an end user’s internal security purposes only A “Warm Standby License” may be used only for production failover purposes and may not be deployed concurrently in production with, or at a greater capacity than, the appurtenant primary license and cannot be used as an active platform for any reason unless a failover has occurred. |
Splunk for Industrial IoT |
Number of Sensors as set forth in the Order A “Sensor” refers to a unit that streams a single type of numerical time-stamped data from an asset, application or other entity into the Software. A Sensor is measured as a unique combination of 'metric_name' and 'asset' that is ingested into Splunk's metrics index in the past 24 hours. For every 1000 Sensors licensed, users are entitled to 6GB of Daily Indexing Volume to index unstructured data in Splunk’s event index. Note: There is no limit on the volume of Sensor data ingested into Splunk’s metric index, irrespective of the conversion of metric measurement as described in the software documentation. |
Not stackable with other Splunk licenses |
Splunk Business Flow |
Number of Flow Models as set forth in the Order “Flow Model” refers to a grouping of discrete information which represents a transaction, session, or other business process that is configured within Splunk Business Flow. Customer will receive a number of unpaid Private Flow Models equal to twice the number of purchased Flow Models. Private Flow Models may only be used by administrators for testing, configuration and preview of Flow Models. Note: For the avoidance of doubt, data ingested to populate Flow Models counts against the license capacity of Splunk Enterprise. |
|
Splunk Data Fabric Search (Splunk DFS) |
Number of vCPUs as set forth in the Order “vCPUs” refers to the virtual CPUs to which Splunk DFS software has access. Each virtual CPU is equivalent to a distinct hardware thread of execution in a physical CPU core. Note: Customers using Splunk Enterprise 8.0, or later, will be entitled to a license for a certain number of vCPUs for Splunk DFS depending on the current active entitlement of Splunk Enterprise. Learn more at https://www.splunk.com/en_us/legal/splunk-data-fabric-search-vcpu-information.html |
|
Splunk Data Stream Processor (Splunk DSP) |
Number of virtual CPUs (vCPUs) set forth in the Order “vCPUs” refers to the virtual CPUs to which Splunk DSP software has access. Each virtual CPU is equivalent to a distinct hardware thread of execution in a physical CPU core. Note: For the avoidance of doubt, data ingested into Splunk Enterprise through Splunk DSP counts against the license capacity of Splunk Enterprise. |
|