Installation

Questions about licenses for search heads?

Steve_G_
Splunk Employee
Splunk Employee

The docs are quite unclear on the matter of licenses for search heads. I'm referring mainly to http://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/TypesofSplunklicenses#Licenses_for_search_he... , although other, peripheral mentions of search heads in the context of licensing are equally muddled.

In places, the docs seem to imply, if not outright state, that licenses are optional (albeit advised) for search heads. But then the section referenced above states, "... you must have an Enterprise license to configure a search head." If that statement is true, then how can a license be optional for a search head?

If, in fact, licenses are somehow optional for search heads, what happens if you do not add a search head to the license pool? Is the search head's functionality limited in some ways? Precisely what ways?

Finally, do search heads that are properly configured (that is, that are purely search heads and are not indexing any external data) ever consume license volume?

To make this worth your time, I promise to rewrite the docs to clarify all this stuff if I get some good answers. Also, I will definitely remember to accept the most helpful answer I get.

Labels (2)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

IMO, the search heads need a Splunk Enterprise license (or a reference to a licnese master with valid Splunk Enterprise licenses) in order to be working a "Search Head" for a deployment. Here a search head could distribute search, provide access management, be a member of clusters and many other features.

Without a valid Splunk Enterprise license, the Splunk instance will use a Free license (I'm excluding Splunk trial license from the discussion), which can only search it's own data (no distributed search), no clustering, no access control etc. See this for more details on un-available features:
https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/MoreaboutSplunkFree

When we say it Splunk license is optional, it means that you don't need a dedicated license for Search Head. It can just be associated with a license master which has valid Splunk licenses.

Splunk recommends that you do not do any local indexing on Search Heads and forward all it's logs (any monitored data, summary index and internal data) to Indexers. If a search heads is configured properly/recommended way, it will not consume any license volume.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

IMO, the search heads need a Splunk Enterprise license (or a reference to a licnese master with valid Splunk Enterprise licenses) in order to be working a "Search Head" for a deployment. Here a search head could distribute search, provide access management, be a member of clusters and many other features.

Without a valid Splunk Enterprise license, the Splunk instance will use a Free license (I'm excluding Splunk trial license from the discussion), which can only search it's own data (no distributed search), no clustering, no access control etc. See this for more details on un-available features:
https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/MoreaboutSplunkFree

When we say it Splunk license is optional, it means that you don't need a dedicated license for Search Head. It can just be associated with a license master which has valid Splunk licenses.

Splunk recommends that you do not do any local indexing on Search Heads and forward all it's logs (any monitored data, summary index and internal data) to Indexers. If a search heads is configured properly/recommended way, it will not consume any license volume.

Steve_G_
Splunk Employee
Splunk Employee

Thanks for your help with these issues. Your answer really helped me to sort out some confusing statements in the docs. I have begun updating the referenced material to incorporate your insights. Stay tuned for many more improvements to the licensing docs in the days and weeks to come!

adonio
Ultra Champion

hello there,

maybe not a complete answer, but this is what i got:
i think that the major reason for adding a license to the Search Head is to allow the enterprise functions that are related to search head instance. for example: Access Control, Distributed Search, Monitoring and Alerting (schedule stuff). read here more:
https://www.splunk.com/en_us/software/features-comparison-chart.html
regarding question (1) i dont know
regarding question (2) if a search head has a license and not added to the pool - imho nothing happens but i am not sure, i think though, that by default, full splunk instances that are slaves to a license master are automatically joining the default pool (auto-generated-pool)
also, if there is no license master, and you are in a distributed environment of some sort, most likely the search head is the license master itself.
question (3) a splunk instance with outputs.conf will never consume license as far as i am aware.

hope it helps

Steve_G_
Splunk Employee
Splunk Employee

Thank you for your answer. In conjunction with the other answer, it helped me gain useful clarity regarding some ambiguous material in the current docs. I have begun improving that material based on the answers, and hope to make improvements to other licensing material in the coming days and weeks.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...