topic Re: get data splunk in Splunk Search

Questions about Splunk Enterprise- What happens after 3 quota overruns, The difference between Free and Trial, etc

hichem_khalfi — Fri, 29 Jul 2022 15:27:28 GMT

Hi please I have 3 questions regarding the splunk enterprise solution (500 mega free log)

infact I am a student and I want to master this solution

1/ after 3 quota overruns, what exactly happens? does splunk server stop receiving logs or what??

2/ what is the difference between: Free license and Enterprise Trial license?

3/ in case I had 2 splunk servers and I want to put one of the 2 as slave because I will need it but I only need the logs that analyzed it, what happens technically?

Re: get data splunk

chaker — Fri, 29 Jul 2022 08:07:53 GMT

1: Search will be disabled on all logs except the internal logs

2: Free license is heavily reduced feature set, Enterprise trial is a trial period of the full feature set.

3: Not sure what you mean. Perhaps read up on distributed search or indexer clustering.
Here is the Splunk Validated Architecture document for reference.

https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf

Re: get data splunk

hichem_khalfi — Fri, 29 Jul 2022 08:26:46 GMT

hi @chaker

I am preparing a presentation on splunk
I lost my first license after 3 quota overruns, and as you know if I prepare a new splunk server I lose all information on the first server
that's why I'm looking for a solution to have them on the second server

Re: get data splunk

gcusello — Fri, 29 Jul 2022 08:28:51 GMT

Hi @hichem_khalfi,

answering to your questions:

after three exceeding, you are in license violation so the data indexing will continue, but all searches (except the ones on _* indexes) will be disabled.

To restart searching, you have to receibe an unblock key from Splunk.

Both Free license and Trial License permit 500 MB/day of ingestion, but in Free License some features (e.g. login) are disabled, you can know which feature are disabled at https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/TypesofSplunklicenses

3), if one server must only send logs to the other, you can install on it the Universal Forwarder (free license) and configure it to send its logs to the other.

In addition, you could see at https://www.splunk.com/en_us/about-us/splunk-pledge/academic-license-application.html the conditions to have a free license for acadmic scope.

Ciao.

Giuseppe

Re: get data splunk

hichem_khalfi — Fri, 29 Jul 2022 08:44:13 GMT

Hi @gcusello

1- what I understand then: I can no longer use this server now because I had a test model containing a firewall and an antivirus with their own indexew, i used index= main for them

2- Is there a solution to complete the tests on a new splunk server without losing the existing information on the first server?

Re: get data splunk

hichem_khalfi — Fri, 29 Jul 2022 08:56:57 GMT

Hi @gcusello

what I understand then: I can no longer use this server now because I had a test model containing a firewall and an antivirus with its own indexes

2- Is there a solution to complete the tests on a new splunk server without losing the existing information on the first server?

Re: get data splunk

gcusello — Fri, 29 Jul 2022 09:21:01 GMT

Hi @hichem_khalfi,

if you're in violation, you could ask an unblock key to Splunk to use the accademic license.

When you'll have (but also before it!), you'll be able to:

install Splunk on a new machine,
stop Splunk on the new and old machine,
copy indexes data ($SPLUNK_HOME/var/lib/splunk) on the new machine,
copy indexes definition (files indexes.conf) in the new machine,
restart Splunk on the new machine.

Ciao.

Giuseppe

Re: get data splunk

gcusello — Fri, 29 Jul 2022 09:23:35 GMT

Hi @hichem_khalfi,

to continue to use it, you have to ask to Splunk an unblock key or install a new machine and copy the old data on the new one.

Obviously the new installation has only three exceedings, so if you continue to have more than 500 MB/day, you'll be again in violation in three days.

Ciao.

Giuseppe

Re: get data splunk

hichem_khalfi — Fri, 29 Jul 2022 10:22:27 GMT

HI @gcusello

this is what I want to know:
1/ how can I have this academic license? the procedure ?
2/ I know I'm talking about technical stuff but I want to be sure of a few points:
by copying this folder ($SPLUNK_HOME/var/lib/splunk) I make sure that all the old data will be present on the new server??
I used only one index by default (main) so what should I do ?

thank you

Re: get data splunk

gcusello — Fri, 29 Jul 2022 11:54:26 GMT

Hi @hichem_khalfi,

about the academic license, all that I know is the link I sent bacause I didn't used it.

About the procedure of index moving, as described at https://docs.splunk.com/Documentation/Splunk/9.0.0/Indexer/Moveanindex you have to:

install on a new machine another Splunk instance using the same version,
stop both the Splunk instances,
copy the $SPLUNK_HOME/var/lib/splunk/your index from the old in the same folder of the new one,
copy indexes.conf where your index is defined from the old system to the new one, if the index is main, don't do this step,
restart Splunk on the new instance.

In this way, you'll have all the old data in the new instance.

Ciao.

Giuseppe

Re: get data splunk

hichem_khalfi — Fri, 29 Jul 2022 13:58:29 GMT

HI @gcusello

please clarify me a bit more, I copied all the var/lib/splunk folder, but I didn't copy any index.conf files because I use index by default: index=main
but I have no results on the new server
where are the files indexes.conf to copy them? do you know the exact path?
thanks

Re: get data splunk

gcusello — Fri, 29 Jul 2022 15:02:27 GMT

Hi @hichem_khalfi,

if the index where you stoed your data is main, you have to copy from the old system to the new the defaultdb folder that contains all the main buckets.

check in $SPLUNK_HOME/etc/splunk-launch.conf if the row starting with SPLUNK_DB is active or under comment.

If it's commented, you have to copy the "defaultdb" folder.

If it's acrive (non commented), you have to copy the defaultdb folder in the path that you can find in DEFAULT_DB.

the indexes.conf containing main index location usually is in $SPLUNK_HOME/etc/system/local or $SPLUNK_HOME/etc/system/default.

Ciao.

Giuseppe

Re: get data splunk

hichem_khalfi — Fri, 29 Jul 2022 16:22:48 GMT

hi @gcusello

Super ; problème résolu
dernière question ; dans le cas où j'ai 2 serveurs avec un dépassement de quota et que je souhaite regrouper leurs données dans un 3ème serveur
y a-t-il une solution?

Re: get data splunk

gcusello — Fri, 29 Jul 2022 16:48:51 GMT

Hi @hichem_khalfi,

good for you for the first issue, please accept the solution for the other people of Community.

About the second question: iF the indexes are different, you can repeat the process I described for both the indexes.

If instead the index is the same e.g. main), merge isn't possible, so: for one of them, you can use the solution I described, for the second the only chance is to extract data in a text file and reload them.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉