8.2.4: after converting Trial into Free still gett...

petersob2 · ‎01-05-2022

Hello,

we've installed splunk and after the license expired on december 18th or so.
Now we have converted the license into a free license.

But the search still doesn't work, everytime i try to search something "*" or in my other index i get:

----snip---
Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK.
----snip---

Only Searching in "index=_internal" works.

Looking in settings->licensing:

-----snip----
Free license group
Change license group
This server is configured to use licenses from the Free license group

Add license
Usage report
Alerts

Licensing alerts notify you of excessive indexing warnings and licensing misconfigurations. Learn more
Current
1 pool warning reported by 1 indexer Correct by midnight to avoid warning Learn more
1 pool violation reported by 1 indexer Correct by midnight to avoid warning Learn more
Permanent
18 pool quota overage warnings reported by 1 indexer 13 hours ago
Local server information
Indexer name #########
License expiration 19 Jan 2038, 04:14:07
Licensed daily volume 500 MB
Volume used today 0 MB (0.007% of quota)
Warning count 18
Debug information All license details
All indexer details
-----snip----

We are evaluating splunk and have only a couple kB per day, to the data amount is not the problem.

Do you have an advices?

with best Regards
Peter

gcusello · ‎01-05-2022

Hi @petersob2,

When a license is expired, you can add a new license or convert in a frre license, but the free license has the limit of 500 MB7day and you are in violation because you exceeded the limit of 500 MB/day more than 2 times, so your Splunk is blocked.

If you have a valid license you could have an unblock license but for a free license isn't possible to have it.

The only thing that you can do is to create a new Splunk installation and copy the old data on the new installation, but you continue to have the limit of 500 MB/day, so you have to analyze your data and limit the volume of logs to ingest.

You can find all the information at:

https://docs.splunk.com/Documentation/Splunk/8.2.4/Admin/TypesofSplunklicenses#Other_types_of_licens...

https://www.splunk.com/en_us/resources/splunk-enterprise-license-enforcement-faq.html

Ciao.

Giuseppe

petersob2 · ‎01-07-2022

Hi,

thanks for your answer. I think my problem is not the amount of data, the whole index where the data came in is only 226k big, since the installation. We have really a couple of kb per day.

Im not sure, but this could be caused by not converting the license in time, so that after test period expired the violation was counted and blocked automatically only because it wasn't converted and not because data amount exceeded. It's just an assumption...

with best regards,
Peter

gcusello · ‎01-07-2022

Hi @petersob2,

I don't think that the violation could be the delay in convertion to free license,

you can easily check if the violation is related to the ingested logs because the License Consuption dashboard should work also in violation and you can see the daily consunption in the last 30 days.

Open a ticket to Splunk Support to understand what happened.

Ciao.

Giuseppe

8.2.4: after converting Trial into Free still getting "license expired" and search still doesn't work

license

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?