All Apps and Add-ons

Whats the point of the enterprise trial? I installed it and was over my limit within 5 mins of using it?!?

timhon5
Engager

I started to index /var/log and boom, over my limit immediately. How can I even get the feel for this if I cant use it at all? I assumed the indexer would ignore old rotated files, but perhaps it also counts those towards the daily total?

Tags (1)
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

Hi Tim,

A couple of things to note here with regard to the license volume limit. You are allowed 5 violations(3 with the free license) within a rolling 30 day period before search is disabled. After this, you'd need to wait 30 day before you could search any non internal index again.

If your just testing splunk, move a subset of data from /var/log into another folder. I have an enterprise trial license monitoring /var/log on a laptop, and haven't had any issues with it.

By default, the indexer is going to look at the first 256 bytes of a file and if it matches what we've recorded, it is going to skip indexing those files. If you want to ensure that files are not indexed, you can blacklist those files.

http://www.splunk.com/base/Documentation/latest/Data/Whitelistorblacklistspecificincomingdata

If you need more volume per day, do not hesitate to contact sales@splunk.com and ask for a larger trial license. They will be glad to assist.

View solution in original post

muebel
SplunkTrust
SplunkTrust

You can get a feel for it by indexing a subset of /var/log, or taking advantage of its general analysis capabilities by indexing a specific application log. Take a look at this list of apps. Splunk lets you find a needle in a haystack, but it also does a lot of good when just trying to view data from different angles.

0 Karma

mw
Splunk Employee
Splunk Employee

When you first install Splunk, and point it at something like a directory to monitor, it's going to index everything in there unless you specify to "tail only". That would account for passing the limit, but doesn't necessarily indicate that you'll continue to do so.

In any case, the enterprise trial volume limit would generally be enough for someone to get familiar with splunk. If you need more volume you would need to contact sales.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

Hi Tim,

A couple of things to note here with regard to the license volume limit. You are allowed 5 violations(3 with the free license) within a rolling 30 day period before search is disabled. After this, you'd need to wait 30 day before you could search any non internal index again.

If your just testing splunk, move a subset of data from /var/log into another folder. I have an enterprise trial license monitoring /var/log on a laptop, and haven't had any issues with it.

By default, the indexer is going to look at the first 256 bytes of a file and if it matches what we've recorded, it is going to skip indexing those files. If you want to ensure that files are not indexed, you can blacklist those files.

http://www.splunk.com/base/Documentation/latest/Data/Whitelistorblacklistspecificincomingdata

If you need more volume per day, do not hesitate to contact sales@splunk.com and ask for a larger trial license. They will be glad to assist.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...