Dashboards & Visualizations

Splunk license

uagraw01
Motivator

 

Hello Splunker!!

My Splunk Enterprise license expired on January 29th, and because of that, I have renewed the license. But I missed some events during the license expiration period. How can I get back missed events so they will show up in the below graph?

uagraw01_1-1706513002053.png

 

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

What report is this? Licensing errors can make your environment stop searching but they shouldn't prevent you from indexing as far as I remember.

0 Karma

uagraw01
Motivator

So you mean after the restart of the Splunk, the previous data should visible.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @uagraw01 ,

if you were in License Violation, Indexing didn't stop, only searching was stopped, so you should have all the logs, also in the no licensing period.

If you haven't (as from your screenshot), there is another reason for this, as I described in my answer.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @uagraw01 ,

it depends on how you are receiving those logs: if they are syslogs that you directly receive in Splunk (in other words not using rsyslog or syslog-ng) you missed them, for this reason is a best practice us a syslog server insted of Splunk.

if they come from files or wineventlog, it depends on the retention of these data in the original systems.

If you still have the files, you should try to read them again using the crcSal = <SOURCE> option.

Ciao.

Giuseppe

0 Karma

uagraw01
Motivator

@gcusello We are receiving the data through ActiveMQ.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @uagraw01,

I don't know this add-on and the source, check if it's possible to send again data , otherwise they are lost.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...