Installation

Issue with expired license

Path Finder

Hi all,

I've got an issue whereby my license expired on my test server: I reinstalled it and added the wrong instance to the license master, so the license expired on my test server. I've readded it and it's removed the license warning from the license master, but I'm still unable to run searches on the server itself. Is there anything I can do to kick it back into life?

I can confirm that it's been added to the licensed pool and the license master can see the data coming in (it's only doing a few MB a day), but when I try to run any searches I get the license expired message.

I can see in the licensing section that it's connected to the license master. I can also see search is disabled through the features:
features {'RcvData': 'ENABLED', 'MultisiteClustering': 'ENABLED', 'Alerting': 'ENABLED', 'SyslogOutputProcessor': 'ENABLED', 'MultifactorAuth': 'ENABLED', 'UnisiteClustering': 'ENABLED', 'AdvancedXML': 'ENABLED', 'AllowDuplicateKeys': 'DISABLED_DUE_TO_LICENSE', 'RcvSearch': 'ENABLED', 'HideQuotaWarnings': 'DISABLED_DUE_TO_LICENSE', 'LDAPAuth': 'ENABLED', 'DistSearch': 'ENABLED', 'SigningProcessor': 'ENABLED', 'ScheduledSearch': 'ENABLED', 'NontableLookups': 'ENABLED', 'ScriptedAuth': 'ENABLED', 'SearchheadPooling': 'ENABLED', 'DeployServer': 'ENABLED', 'FederatedSearch': 'DISABLED_DUE_TO_LICENSE', 'DisableQuotaEnforcement': 'DISABLED_DUE_TO_LICENSE', 'DeployClient': 'ENABLED', 'ScheduledReports': 'ENABLED', 'ArchiveToHdfs': 'ENABLED', 'ResetWarnings': 'DISABLED_DUE_TO_LICENSE', 'FederatedSearchPremium': 'DISABLED_DUE_TO_LICENSE', 'SubgroupId': 'DISABLED_DUE_TO_LICENSE', 'Acceleration': 'ENABLED', 'AdvancedSearchCommands': 'ENABLED', 'SplunkWeb': 'ENABLED', 'KVStore': 'ENABLED', 'CustomRoles': 'ENABLED', 'FwdData': 'ENABLED', 'DataFabricSearch': 'DISABLED_DUE_TO_LICENSE', 'GuestPass': 'ENABLED', 'SAMLAuth': 'ENABLED', 'Auth': 'ENABLED', 'LocalSearch': 'DISABLED_DUE_TO_VIOLATION', 'ScheduledAlerts': 'ENABLED', 'AWSMarketplace': 'DISABLED_DUE_TO_LICENSE', 'RollingWindowAlerts': 'ENABLED'}

How do I get it to allow me to search my data again?

Thanks!

Best regards,
Alex

Labels (1)
0 Karma
1 Solution

Communicator

Hi.

We have experienced a similar case in which an Expired Instance would be added to the License Master but could not perform any searches.

The thing that we found out is that since the Expired Instance did not joined the Master, it started to use its Free License option without us realizing. After the Free License expired it blocked all Saved and Adhoc Searches, at this point we tried to make it join our License Master successfully but could not still perform any search.

  • The fastest solution that worked for us was to ask for a Reset License on Splunk Support Portal stating that we hadnt notice the violations ultil it was too late. They answered the same day with the Reset Key that you can upload to the Expired Instance directly (You must first separate this instance from your Master License Server and then apply the Reset Key to the Expired Instance directly; after it has cleared you can make it join the License Master again)
  • The other option was to migrate the data from the indexes ($SPLUNK_HOME/var/lib/splunk) and also selectively transfer the configurations ($SPLUNK_HOME/etc) to a freshly installed Splunk Instance, and then join it to the License Master.

Hope it helps

Cheers!!!

View solution in original post

0 Karma

Communicator

Hi.

We have experienced a similar case in which an Expired Instance would be added to the License Master but could not perform any searches.

The thing that we found out is that since the Expired Instance did not joined the Master, it started to use its Free License option without us realizing. After the Free License expired it blocked all Saved and Adhoc Searches, at this point we tried to make it join our License Master successfully but could not still perform any search.

  • The fastest solution that worked for us was to ask for a Reset License on Splunk Support Portal stating that we hadnt notice the violations ultil it was too late. They answered the same day with the Reset Key that you can upload to the Expired Instance directly (You must first separate this instance from your Master License Server and then apply the Reset Key to the Expired Instance directly; after it has cleared you can make it join the License Master again)
  • The other option was to migrate the data from the indexes ($SPLUNK_HOME/var/lib/splunk) and also selectively transfer the configurations ($SPLUNK_HOME/etc) to a freshly installed Splunk Instance, and then join it to the License Master.

Hope it helps

Cheers!!!

View solution in original post

0 Karma

Path Finder

Feared that this was the case. Luckily I don't need any of the data from indexes as it's a test server, but will be a reinstall now, I think.
Thank you.

0 Karma

Communicator

A couple of questions

  1. is the "test server" pointed to valid license master after it was reinstalled?
  2. when you said "I'm still unable to run searches on the server itself", were you referring to the same "test server"
  3. did you bounce the "test server" after it was reinstalled?
0 Karma

Path Finder
  1. Not initially, this is the cause of the breach. It shared the same name as before but had a different GUID. Silly mistake.
  2. Yes, this is the test server that runs as a standalone indexer/searchhead
  3. Not the server, as I don't have the rights to do that, but, yes, I have restarted the Splunk instance
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!