Installation

Is the Free license for home lab available?

toddehb
Engager

Hi,

could not find anything on the website. I like to try and maybe use splunk indefinteley on my home lab. Is there such a thing like free license or home license? Enterprise trial is for 60 days and does not seem to fit my needs.

Labels (1)
0 Karma

ttovarzoll
Path Finder

what does the "500 MB daily ingest limit" mean? I understand if I'm sending logs but what if I want to use it for adhoc review of large offline data-sets, e.g. VPC FlowLogs? Can I manually import a 1 GB .csv or does that count as part of the 500 MB/day? If so, could I break it up and import 500 MB today, then 500 MB tomorrow -- and then do my searches?

Thank you for this detailed discussion!

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ingest-based licensing works more or less like this:

- ingestion is summarized over a 24h period (midnight to midnight if I remember correcotly).

- if your summarized ingestion amount exceeds your license terms, you get a license warning

- if your number of warnings during a rolling window exceeds a threshold (with free license it's I think 5 during 30 days) and your license type is "enforcing" (trial license is), your splunk keeps indexing data but you searching from indexes other than internal Splunk's indexes is getting blocked until you get a continuous window without warning (here I'm not sure if you must have no warnings at all or just be below the threshold).

So technically, Splunk accounts for occasional unpredictable peaks of data volume but there is only a limited number of times you can use that.

So your best soultion to ingest several gigabytes would be to spread it over a few days to keep below daily limit.

Every data that you ingest and write to indexes consumes license (but only the raw data of the event is counted against the license limits; any additional metadata fields are "free"; in case of metric indexes each event consumes constant 160 bytes, but that's probably a use case you're not interested in). The only way to get data into Splunk without consuming license is to load already indexed data (there are some pre-indexed datasets circulating around the internet but they are very special cases for a special use).

0 Karma

isoutamo
SplunkTrust
SplunkTrust

When you are indexing events into splunk it counts the length of event and use it as ingesting amount. So when you are indexing 1GB it use 1GB part from your license. Based on your license type there are little bit different rules when you have exceeded your limit and what are happening then. Usually it means that your searches are blocked for some period, which are depending on your license type. Some license can unlock with key from splunk support but some (like dev/free) cannot. But if you have just sandbox environment, you probably can just package your apps and configurations, then remove installation and start from scratch?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Apart from all those license types mentioned already (dev, dev/test, NFR), there is of course also the Splunk Free license. After your initial 60-day trial license expires, your Splunk installation will give you the possibility to either upload a valid license file or switch to the free license. Free license is - as the name says - free but has limitations (which - apart from the scheduled searches - are not usually very important in home environment):

- single-node installation only (no clustering)

- no authentication (you're always working as an admin user)

- no scheduled searches (no alerts, no scheduler reports, no datamodel acceleration)

- 500MB daily ingestion limit

0 Karma

toddehb
Engager

@PickleRick

Great info. Think this could be sufficient.

What exactly does "no alerts" mean? So if suspicious activities will hit splunk there are no alarms like email messaging etc? 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Exactly that way. You cannot run any alert like sending email if something happen.

Here is link to its description https://docs.splunk.com/Documentation/Splunk/latest/Admin/MoreaboutSplunkFree

What features are disabled on Splunk Free?

Splunk Free is for standalone, single-instance use only installations. Most Splunk Enterprise features are available on the Free license, with the following exceptions:

  • Ingest actions is not available.
  • Alerting (monitoring) is not available.
  • There are no users or roles. This means:
    • There is no login. You are passed straight into Splunk Web as an administrator-level user.
    • The command line or browser can access and control all aspects of Splunk Free with no user and password prompt.
    • There is only the admin role, and it is not configurable. You cannot add roles or create user accounts.
    • Restrictions on search, such as user quotas, maximum per-search time ranges, and search filters are not supported.
  • Distributed search configurations including search head clustering are not available.
  • Deployment management capabilities are not available.
  • Indexer clustering is not available.
  • Forwarding in TCP/HTTP formats is not available. This means you can forward data from a Free license instance to other Splunk platform instances, but not to non-Splunk software.
  • Report acceleration summaries are not available.

What you should know about switching to Free

Splunk Enterprise Trial gives you access to a number of features that are not available in Splunk Free. When you switch, be aware of the following:

  • Any alerts you defined no longer trigger. You no longer receive alerts from Splunk software. You can still schedule searches to run for dashboards and summary indexing purposes.
  • Configurations in outputs.conf to forward to third-party applications in TCP or HTTP formats do not work.
  • User accounts or roles that you created no longer work.
    • Anyone connecting to the instance will automatically be logged on as admin. You will no longer see a login screen.
  • Any knowledge objects created by any user other than admin (such as event type, transaction, or source type definitions) and not already globally shared will not be available. If you need these knowledge objects to continue to be available after you switch to Splunk Free, you can do one of the following:

If/when you are wanting to test Splunk feature then Developer license will be best after trial. If you want just use it wit limited amount of data then Free is probably the correct version.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Just to be clear about intended usages. While you maybe might get away with running your licensed instance for different purposes, the intendend usage is:

- For Free license - use it anywhere for no cost with a limited functionality. If you don't need anything more - that's the choice for you.

- Dev/Test license - use it for internal, non-production purposes (like setting up a test environment to test patches before deploying to prod or developing apps/addons and testing changes before you push them to prod). You must be a customer and have a valid Enterprise or Cloud License to get this license

- Developer license - use it for non-production purposes if you're developing an app/add-on/extension/whatever for Splunk and need an environment to test it before pushing to Splunkbase

For all other uses (except some niche variants like partner's NFR or build license) you need a valid commercial license.

Reference - https://docs.splunk.com/Documentation/Splunk/latest/Admin/TypesofSplunklicenses

isoutamo
SplunkTrust
SplunkTrust

Hi

Splunk have two different developer licenses (see Splunk developer licenses). One for test/dev for current customers which have already paid at least 1gb onprem or 5gb cloud license. Just register with your corporate email (same domain than your official license has) and order it.

Another one is developer license for users which are not using any paid version. There are more about it on next links:

The 1st license have 50gb / day limits and some features are missing like clustering etc. The 2nd one have more feature but only 10gb / day ingesting amount.  Both are valid for 6 month and then you could ask a new license.

r. Ismo

0 Karma

toddehb
Engager

@isoutamo

Thanks for clarification. Need to go with 2nd option, because we don't have a regular license at my company. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @toddehb,

if you're a registered Splunk Partner, you can have a 10 GB/day NFR (Not For Resale) license to renew every year.

Ciao.

Giuseppe

0 Karma

toddehb
Engager

Thank you all. From reading last post Splunk does not seem to be feasible for my purpose. 

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...