Getting Data In

licensing issues with splunk

New Member

Local server information
Indexer name
License expiration Apr 26, 2013 6:28:39 PM
Licensed daily volume 500 MB
Volume used today 4,093 MB (818.68% of quota)
Warning count 3
Debug information All license details
All indexer details

I have a free license to Splunk, I simply use it to watch and visualize a tiny server that does nothing but file serving and streaming. The server does have a FQDN although there is little to no access on the web. I use it mostly for my own fiddling in my own time.

In theory - this should be quite adequate for the free Splunk license terms - yes?

I usually set up Splunk and forget about it after a few days but recently I was getting hammered by SSH attempts. I captured some traffic, created a temp rule to block all incoming traffic and I was going to use Splunk to visualize this data.

Once again I've apparently violated my license terms by collecting far too much data. It wont let me check the ssh attempts and it wont let me view all the crap data that it does appear to have collected. The last time this happened a few weeks ago, I just dumped the data and reindexed - what's the bloody point?

Really, is this what Splunk has become? EVERY new revision of Splunk seems to be becoming more and more restrictive even for those that have no intention of using it commercially.

Sad, sad days.

0 Karma


The terms of use are very clear. 500MB/day maximum for a free licence. Blow it three times and you are shut out of the search until there are fewer than three days over in a 30 day window. That does not strike me as unreasonable. If you want professional grade usage, you are expected to pay for a professional grade licence, and 500MB a day is a lot for personal use.

You need to be selective when choosing your data sources.


I'm not entirely sure what Splunk has done wrong here?

On a free license you can index up to 500mb a day, if you blow this its alright. Splunk will let you blow this limit three times within a 30 day rolling window. That means that if on day 1 you use 600 meg you have a violation, if 29 days later you have a second violation then the window resets and you have 2 violations and need to have none for 30 more days to clear them.
If you exceed 3 then you lose the ability to search.

That seems somewhat fair to me? Its Splunk allowing room for people to sometimes blow the limit or run batch jobs, if you always go over then its an indication that you need a bigger license. Also you don't need to dump and reindex, this won't affect the license.
Best fix is to backup your buckets and reinstall Splunk, move the buckets back over and carry on as usual.

So in short, Splunk would have given you three warnings and as you've pasted above, you used 818% of your quota..... Also Splunk hasn't made anything more restrictive, its the same free license that was there a version or two ago.

EDIT: Just double checked, the Splunk free model hasn't changed since 4.1 (Which is also when it was introduced)

New Member

License expiration Jun 23, 2014 12:17:22 AM
Licensed daily volume 500 MB
Volume used today 657 MB (131.419% of quota)
Warning count 0

Ok, I'm trying this again.... enterprise trial license, only the very basic settings on OSX server that's been running since January doing very little but file serving. I purged an apache.log that appears to have cleared up a large chunk.

Can I ask, the files that don't get added due to not being on the whitelist - do they count towards your quota?

It could simply be that splunk doesn't support osx out the box but this is ridiculous.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!