Dashboards & Visualizations

Splunk license

uagraw01
Motivator

 

Hello Splunker!!

My Splunk Enterprise license expired on January 29th, and because of that, I have renewed the license. But I missed some events during the license expiration period. How can I get back missed events so they will show up in the below graph?

uagraw01_1-1706513002053.png

 

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

What report is this? Licensing errors can make your environment stop searching but they shouldn't prevent you from indexing as far as I remember.

0 Karma

uagraw01
Motivator

So you mean after the restart of the Splunk, the previous data should visible.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @uagraw01 ,

if you were in License Violation, Indexing didn't stop, only searching was stopped, so you should have all the logs, also in the no licensing period.

If you haven't (as from your screenshot), there is another reason for this, as I described in my answer.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @uagraw01 ,

it depends on how you are receiving those logs: if they are syslogs that you directly receive in Splunk (in other words not using rsyslog or syslog-ng) you missed them, for this reason is a best practice us a syslog server insted of Splunk.

if they come from files or wineventlog, it depends on the retention of these data in the original systems.

If you still have the files, you should try to read them again using the crcSal = <SOURCE> option.

Ciao.

Giuseppe

0 Karma

uagraw01
Motivator

@gcusello We are receiving the data through ActiveMQ.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @uagraw01,

I don't know this add-on and the source, check if it's possible to send again data , otherwise they are lost.

Ciao.

Giuseppe

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...