Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk license

uagraw01
Motivator
‎01-28-2024 11:25 PM

 

Hello Splunker!!

My Splunk Enterprise license expired on January 29th, and because of that, I have renewed the license. But I missed some events during the license expiration period. How can I get back missed events so they will show up in the below graph?

uagraw01_1-1706513002053.png

 

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-29-2024 01:33 AM

What report is this? Licensing errors can make your environment stop searching but they shouldn't prevent you from indexing as far as I remember.

0 Karma
Reply

uagraw01
Motivator
‎01-29-2024 02:26 AM

So you mean after the restart of the Splunk, the previous data should visible.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-29-2024 02:29 AM

Hi @uagraw01 ,

if you were in License Violation, Indexing didn't stop, only searching was stopped, so you should have all the logs, also in the no licensing period.

If you haven't (as from your screenshot), there is another reason for this, as I described in my answer.

Ciao.

Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎01-28-2024 11:32 PM

Hi @uagraw01 ,

it depends on how you are receiving those logs: if they are syslogs that you directly receive in Splunk (in other words not using rsyslog or syslog-ng) you missed them, for this reason is a best practice us a syslog server insted of Splunk.

if they come from files or wineventlog, it depends on the retention of these data in the original systems.

If you still have the files, you should try to read them again using the crcSal = <SOURCE> option.

Ciao.

Giuseppe

0 Karma
Reply

uagraw01
Motivator
‎01-29-2024 12:32 AM

@gcusello We are receiving the data through ActiveMQ.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-29-2024 12:44 AM

Hi @uagraw01,

I don't know this add-on and the source, check if it's possible to send again data , otherwise they are lost.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...