Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk license

uagraw01
Motivator
‎01-28-2024 11:25 PM

 

Hello Splunker!!

My Splunk Enterprise license expired on January 29th, and because of that, I have renewed the license. But I missed some events during the license expiration period. How can I get back missed events so they will show up in the below graph?

uagraw01_1-1706513002053.png

 

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-29-2024 01:33 AM

What report is this? Licensing errors can make your environment stop searching but they shouldn't prevent you from indexing as far as I remember.

0 Karma
Reply

uagraw01
Motivator
‎01-29-2024 02:26 AM

So you mean after the restart of the Splunk, the previous data should visible.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-29-2024 02:29 AM

Hi @uagraw01 ,

if you were in License Violation, Indexing didn't stop, only searching was stopped, so you should have all the logs, also in the no licensing period.

If you haven't (as from your screenshot), there is another reason for this, as I described in my answer.

Ciao.

Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎01-28-2024 11:32 PM

Hi @uagraw01 ,

it depends on how you are receiving those logs: if they are syslogs that you directly receive in Splunk (in other words not using rsyslog or syslog-ng) you missed them, for this reason is a best practice us a syslog server insted of Splunk.

if they come from files or wineventlog, it depends on the retention of these data in the original systems.

If you still have the files, you should try to read them again using the crcSal = <SOURCE> option.

Ciao.

Giuseppe

0 Karma
Reply

uagraw01
Motivator
‎01-29-2024 12:32 AM

@gcusello We are receiving the data through ActiveMQ.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-29-2024 12:44 AM

Hi @uagraw01,

I don't know this add-on and the source, check if it's possible to send again data , otherwise they are lost.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...