At a few customers now I have seen a 1MB (forwarder) license with an expiration of early March. I'm not sure where this came from - was this a bug?
user@host $ bin/splunk show license Current Daily Usage Amount: 0 Expiration date: 2011-03-08T01:07:37-0500 Expiration State: 7 License level: 1 MB Product: Enterprise License violations: Max Violations: Peak usage: 0 MB Days remaining: 6 day(s) Violation Period:
The expiring license file starts with
email@example.com and the encrypted text began with
RV7. When the license was changed to
splunk-forwarder.license from the 4.1.6 64-bit linux tgz package, the date went back to
2020-06-08 as expected (that file starts with
firstname.lastname@example.org and the encrypted text starts with
There was a Splunk Answers a bit ago that said they accidentally shipped a bad forwarder.license in one release. It was a bit scant on details, so it's hard to confirm that it is your issue, but it certainly sounds like it.
This was a bug in one of the releases. You should be able to replace it with the forwarder license from a current release of Splunk. Note that this is mostly of no consequence on a forwarder, since the results of a license lockout are that you can't search, and there is (or should be) nothing to search on a forwarder.
A simple solution is to download a splunk 4.1.7 zip/tar.gz and use the forwarder license shipped in it /etc/splunk-forwarder.license
But at this step, why not upgrade directly to 4.1.7