Thoughts on Free Splunk

Solution 1:

We use free Splunk together with OSSEC on several customers and it's perfectly usable. Of course, it has some limitations compared to the non-free version:

  • 500MB limit per day (with two or three peaks allowed per month): If you don't generate that much data, this won't affect you
  • Authentication: free Splunk does not have it. We use apache and http_auth to overcome this limitation. It's not a perfect solution but good enough. If you will be the only user, you can run it on localhost.
  • Different users: free Splunk only has one user. So you don't get personalized dashboards and customization. Again, if you are all looking for the same and don't care about sharing or you are the only one, there should be no problem.

Overall, free Splunk (particularly version 4) is a product per se and can be used in production without worries, unless you happen to need the added features of the non-free version.

Solution 2:

Overall, free Splunk (particularly version 4) is a product per se and can be used in production without worries, unless you happen to need the added features of the non-free version.

If you have small amounts of data to index, the above is true.

What we found out was that if your data is in the range of the limit, you are in TROUBLE.

We figured: Heck, 500mb/day, that is a lot. If we exceed it, no big deal, we will only be able to search 500 mb of it.

Wrong!

According to the splunk answers site, if you hit the limits, the Splunk Search feature is disabled... for DAYS at a time.

This effectively KILLS your splunk system (if you can't search, the whole system is about as useful as a sack of sand).

"If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have 5 or more violations on an Enterprise license or 3 violations on a Free license in a rolling 30-day period, search will be disabled. Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) violations in the previous 30 days or when you apply a new license with a larger volume limit.

Note: During a license violation period, Splunk does not stop indexing your data. Splunk only blocks access while you exceed your license.

So even if you have a paid license, if you hit the limits you can effectively disable the system.

Solution 3:

You can't even change the default admin password with the free license. This means anyone on the network can send data to the indexer/forwarder with the default admin:changeme credentials.

Think about that.

Solution 4:

We are a team of 12 people in a large media company in London. We have an enterprise license in excess of 100GB for the company as a whole but our team still runs a separate server with the free version. This allows us more freedom to play with configurations and index 'one-off' batches of data that would otherwise take longer on our production system due to access rights and change controls.

Its a sort-of dev/test environment for splunk but we also have a lot of searches and dashboards that we use all the time that we have no desire to move to production. So yes, the free version is useful.