I just change splunk from Trial to Free. However, same as some other user asking, a warning messages comes out.
[EventsViewer module] Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK.
I checked the dailay volume use. There should be lower than 500MB
Licensed daily volume 500 MB
Volume used today 57 MB (11.36% of quota)
Also, I have checked other answer from here but looks cannot help me. Did any offical link can point me how to solve this problem?
Try this command to check your index sizes
index=internal earliest=-24h source=*metrics.log perindexthruput | eval mb=kb/1024 | stats sum(mb) by series. There is also preconfigured searches that can assist you in measuring your indexes and data. YourSplunkServer/en-US/app/search/indexstatus
Try to limit the amount of information your splunk forwarders or Data inputs send\import to your indexer, Segregate your indexes per Data inputs. I stop all forwarders or data inputs, then sequentially enable the LWF's and data inputs to measure the license usage. Blacklist any superfluous or UN-needed data on your LWf's or Data inputs. Do you have any Apps running non-essential scheduled searches?
Just checked the the warning alert/warning message. It looks I have already reach the max warning/alert so it was disable the search?
1 pool warning reported by 1 indexer Correct by midnight to avoid violation Learn more 1 pool violation reported by 1 indexer Correct by midnight to avoid violation Learn more
Is there are any method to reduce the index build? by reduce the date of record can do it?