Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk license

uagraw01
Motivator
‎01-28-2024 11:25 PM

 

Hello Splunker!!

My Splunk Enterprise license expired on January 29th, and because of that, I have renewed the license. But I missed some events during the license expiration period. How can I get back missed events so they will show up in the below graph?

uagraw01_1-1706513002053.png

 

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-29-2024 01:33 AM

What report is this? Licensing errors can make your environment stop searching but they shouldn't prevent you from indexing as far as I remember.

0 Karma
Reply

uagraw01
Motivator
‎01-29-2024 02:26 AM

So you mean after the restart of the Splunk, the previous data should visible.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-29-2024 02:29 AM

Hi @uagraw01 ,

if you were in License Violation, Indexing didn't stop, only searching was stopped, so you should have all the logs, also in the no licensing period.

If you haven't (as from your screenshot), there is another reason for this, as I described in my answer.

Ciao.

Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎01-28-2024 11:32 PM

Hi @uagraw01 ,

it depends on how you are receiving those logs: if they are syslogs that you directly receive in Splunk (in other words not using rsyslog or syslog-ng) you missed them, for this reason is a best practice us a syslog server insted of Splunk.

if they come from files or wineventlog, it depends on the retention of these data in the original systems.

If you still have the files, you should try to read them again using the crcSal = <SOURCE> option.

Ciao.

Giuseppe

0 Karma
Reply

uagraw01
Motivator
‎01-29-2024 12:32 AM

@gcusello We are receiving the data through ActiveMQ.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-29-2024 12:44 AM

Hi @uagraw01,

I don't know this add-on and the source, check if it's possible to send again data , otherwise they are lost.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...