I have been trialing Splunk now for the duration of the Free-Enterprise license and would now like to move over to the free license.
I have tried this on another test box which I have and I am still receiving this error when I try search the data:
Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK.
On this test box I am not sending too much data (only one firewall), so would expect this not to exceed the 500Mb limit.
I have ran the below command on the test server to show a 48h period and its no-where near the limit, or is it?...
index=_internal earliest=-48h source=*metrics.log per_index_thruput | eval mb=kb/1024 | stats sum(mb) by series
1 _audit 0.361480773
2 _internal 46.5331381808
3 main 78.1099844046
Can anyone advise on the best way to migrate or clear this error?
Is there any search which can be run to see when you last hit a violation/came close to one?, that way I could get an idea of when I could expect to get access back in.
If you get 5 or more violations within a 30 day period then it will lock your search. It won't unlock again until you have 30 consecutive days free of any warnings (Splunk still indexes while search is locked) so it may not be related to the last 48 hours at all.
Once on the free license you can have only 3 violations within a 30 day period.
Also it could be the license expiring, you can switch to the free one via manager -> licensing and there is an option to switch to the free license.
See here for more detail;