I have a FREE license, yet I get the error "Your Splunk license expired or you have exceeded your license limit too many times". It appears you're trying to ensure that temporary bursts over the limit are still processed, but this just means that I lose search access entirely after a few days, which is worse (then I need a silly thing called a "reset license"!).
How about an alternative FREE license which strictly enforces the limit, but never ever denies you access to searching your data? This is far more "common sense".
the answer to the question asked in the title of this posting is: the license isn't expiring. it is enforcing the terms of that license as documented. once your deployment has fewer than 3 violations within the noted 30-day period, you will once again be able to use Splunk to search your data, indefinitely.
in the meantime, i recommend you reduce the volume of your inputs so that you no longer violate the terms of the license more than twice in a given 30-day period. here is additional information from the official product documentation about the intended use cases for Splunk Free:
"Splunk Free is designed for personal, ad-hoc search and visualization of IT data. You can use Splunk Free for ongoing indexing of small volumes (<500 MB/day) of data. Additionally, you can use it for short-term bulk-loading and analysis of larger data sets--Splunk Free allows you to bulk-load much larger data sets up to 3 times within a 30 day period. This can be useful for forensic review of large data sets."
note that Splunk Free is intended for personal use. if you are using Splunk Free in an enterprise environment, and require access to support under an SLA, i recommend you purchase a license.
Sounds great -- except for the "gotcha" if you give Splunk more data than the license allows. I cannot think of any other use-limited license that reacts to over-use by shutting down. Use-limited licenses should enforce the license limits, not deactivate.
I don't need any support except a WORKING LICENSE.
Splunk are heavily involved in the community and spend alot of time helping people. In fairness to them you don't have a paid support and it is a free product, personally I would say that the fact it indexes data is far more important than letting me search my data. I have a sudden issue that causes a surge of data, ok so I can't search but at least I can perform some sort of analysis afterwards... if I stopped indexing then there isn't much point 😕 Also its not a bait and switch if you are going over the free license, surely thats just a sign that you need a bigger / commercial license?
Well perpetual means it doesn't expire and it hasn't, you've just violated the license. And it also has a three strike rule so you would have had warnings at the top of the screen for at least three days warning you of a violation. If it is a big problem you could always install a new free version and migrate your indexes over to it?
Agreed, I'm not paying for support, but I believe that a perpetual free license to index up to 500 MB a day should not deactivate and require vendor intervention to get working again. It's clearly not perpetual. Am I asking too much?
i can add my 2cents here. the Splunk website has a matrix and verbiage comparing free vs pay-for ent license. it seems to suggest the product stops indexing after 500MB, not that you cannot search after max index has been reached, etc.
"Splunk is available to download for free. Your download automatically includes all of the Enterprise license features of our latest release, Splunk 4.3, for 60 days and allows you to index 500 megabytes of data per day. After 60 days, or anytime before then, you can convert to a perpetual Free license or purchase an Enterprise license to continue using the expanded functionality designed for multi-user Enterprise deployments"
in fact, the product has no indexing limit. so perhaps the description of "free" is not accurate, and, the description for limits on indexing is not accurate.
The FREE license indexes up to 500 MB/day. Oops, no, it will index MORE, but if you give it too much data to index three times in a month, it just shuts down.
AND, corporate Splunk has not yet responded to TWO calls trying to get this "reset" license key. Seems like a bait-and-switch to try to get you to pay for a commercial license.
Does anyone from the company read these forums?
I would argue that enforcing the license in the way you suggest is not common sense. It just happens to be better suited to your specific individual current situation.
If you use Splunk for indexing, searching and acting on data that is of relevance to you (which is the whole point of it), it'd be far worse if it just started dropping this relevant data as soon as the license limit is hit. Instead when you surpass the 500MB license cap Splunk keeps on gathering the data just as usual so you're still able to search it and then gives you not one, not two, but THREE warnings for each day you violate the license, before finally shutting down search capabilities. Even then it's still gathering data.
If you're constantly indexing more than 500MB of data per day, then the free 500MB license isn't for you.
You have the ability to set up alerts on license violations, as well as to route data that is less meaningful to you to the nullQueue(Splunk equivalent of /dev/null) so that no license cost is incurred by those events.
search to alert on:
Just an update (since this dated page comes up as a search result about Splunk Free license):
I just installed 7.2.3 to use for a class. When I go to check the License in settings, I noticed that all it says for Free is it does not support auth (and has the 500MB limit), while Enterprise says it adds alerting. This would imply that the Free level does not support alerting.
I am using this to learn Enterprise; once I finish the class I'll try switching the license and see if alerting still works.
I don't agree that continuing to index but shutting down search is "stop working entirely", but we clearly have different opinions on this. I'm no Splunk employee, I'm a customer that see this model as a good thing, as do many others. But of course any model you choose would have its disadvantages as well.
How about giving the customer a choice? But I can't think of any other license that works like this, it just stops working entirely when you exceed limits (until you get the vendor to unlock it for you). A license limit is a license LIMIT, not a warning and then a cancellation.
It's common sense to ME, as a user of the software. If I have more than the 500 MB/day of data, then just don't index it. Please don't just shut down and make it impossible for me to access my data at all! I don't access it often, I don't SEE those warnings. But when I do, it's a crisis, and IT MUST WORK as expected.