Archive

Excessive License Violations after Installing New License

Splunk Employee
Splunk Employee

I had a 500 MB license on a test Instance and went above that threshold for a while before I checked it (averaging around 800 MB), and so the search disabled itself. To remedy this, I installed a 10 GB dev license, but I still can't run any searches.

Error message: Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK.

It shows I have one stack with 10240 MB, with one pool that is using 607 MB out of 10240 MB, and the only server in the licensing group is listed as having consumed that 607 MB, but I still can't do any searches.

Restarts and a forced upgrade also failed to resolve the issue. Is there any way to fix this without waiting for however long?

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

Once you violate your license searching will be blocked until a reset (only available to enterprise customers) is applied or you return to license compliance (30 days without exceeding the license limit). Simply applying a larger license will not restore search functionality.

View solution in original post

Engager

Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply a temporary reset license (available for Enterprise only). To obtain a reset license, contact sales or support.

New Member

Good morning,

can anybody please detail or explain better what this means:

"Once you violate your license searching will be blocked until a reset (only available to enterprise customers) is applied "

I've restarted the splunk server many times after license installation, but I can't still use the searching.

Thanks

0 Karma

New Member

I have exactly the same issue. An answer to this question would be most valuable.

0 Karma

Splunk Employee
Splunk Employee

"A reset" here means a reset license, which any Splunk customer can get from support. Just open a support ticket and ask for a reset.

0 Karma

Explorer

Why not? It would seem that having a new license means we are back in compliance.

0 Karma

Splunk Employee
Splunk Employee

Once you violate your license searching will be blocked until a reset (only available to enterprise customers) is applied or you return to license compliance (30 days without exceeding the license limit). Simply applying a larger license will not restore search functionality.

View solution in original post

Engager

I logged in to do work on my home deployment with my development license to show a friend how cool splunk was the other day. I couldn't login to the mobile platform because the license was expired. Few days later, I corrected this today but I still cannot search at all despite renewing my license

"Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK.

What are my options at this point?
-Deploy a new Splunk Server and migrate everything?
-Wait X amount of days to be able to use my instance whenever that may be?
-Give up and look at other splunk alternatives so I can get back up and running and not have egg on my face next time I go to demo?
-D. Other?

0 Karma

Splunk Employee
Splunk Employee

In addition to getting a valid license, once search has been disabled the only way to enable search again is by requesting a reset key from support. Once you apply the reset key, you should be all set.

Engager

I just contacted support to see about getting a reset key for my developer license, my account is not associated with a company so they cannot give me a reset key. I was able to get a graylog ova deployed though and adjust outputs.conf to over there, at least helps make for a smooth transition to a new platform. 😄

For those interested and in the same boat as me, here is a reference.
http://docs.graylog.org/en/2.1/pages/installation/virtual_machine_appliances.html

Outputs.conf
http://docs.splunk.com/Documentation/Splunk/6.5.1/Forwarding/Forwarddatatothird-partysystemsd

0 Karma

Splunk Employee
Splunk Employee

For anyone reading this after the fact, "a reset" refers to a reset license that customers can get from support. Simply open up a ticket either over the web or by calling and the support engineer will get you back up and running.

0 Karma

Splunk Employee
Splunk Employee

Per your suggestion, I opened a support case (#56332) for this issue. I'll update the ticket once with any outcomes, in case anyone else experiences the same problem.

0 Karma

Splunk Employee
Splunk Employee

since you have an enterprise license i would suggest contacting splunk support with a screenshot. Otherwise, if you can show us a screenshot here that would also help.

It doesnt really make sense to have a license pool of 10240MB and only using 607 but still being under violation.

The only thing that comes to mind is: are you sure that the indexer that is using 607MB (and was using 800MB in the past) is under this pool? Do you perhaps have a secondary pool? (screenshot should show this clearly..)

0 Karma