Installation

Licensing error reported in splunkd.log on LWF's - "ERROR LicenseManager - License expired or over limit. Blocking search until this is resolved."

mctester
Communicator

We have the splunk LWF service installed on 100 (ish) vm's that should all be passing traffic to our indexers. All the vm's we've checked are getting the following message:

tail /opt/splunk/var/log/splunk/splunkd.log 09-09-2010 08:06:02.877 ERROR LicenseManager - License expired or over limit. Blocking search until this is resolved.

License usage on the indexer is within compliance:

Product: Enterprise Days remaining: 99928 days License level: 2,048 MB Peak usage: 1,443.369 MB Expiration date: Apr 12, 2284 12:56:11 PM License violations:

I was under the impression that LWF daemons did not require licenses?

Tags (3)
1 Solution

Mick
Splunk Employee
Splunk Employee

Every Splunk instance needs 'some' kind of license to run, but not every instance requires an indexing license. Please read the information here so that you are familiar with the various types of license - http://www.splunk.com/base/Documentation/latest/Installation/AboutSplunklicenses

The first time Splunk is installed, it will use the 'Enterprise Trial' license that is bundled with the download package. This is usually valid for between 30 and 60 days.

For forwarders, you generally don't need an indexing capability, so we have also included a 'Forwarding license' in the download package. This is a 1MB, perpetual Enterprise license that will enable all features, like security, distributed search and deployment server, but will not all for any indexing. You can also use this license on search head instances.

Lastly, there is the perpetual, 500MB, free license. You can apply this to your forwarders also, and they will work just fine if all you want to do is forward data, but none of the other features will be enabled - the most important of which is security.

To resolve the messages you are seeing, simply update the $SPLUNK_HOME/etc/splunk.license file with either the free or the forwarder license, and recycle your instances.

View solution in original post

Mick
Splunk Employee
Splunk Employee

Every Splunk instance needs 'some' kind of license to run, but not every instance requires an indexing license. Please read the information here so that you are familiar with the various types of license - http://www.splunk.com/base/Documentation/latest/Installation/AboutSplunklicenses

The first time Splunk is installed, it will use the 'Enterprise Trial' license that is bundled with the download package. This is usually valid for between 30 and 60 days.

For forwarders, you generally don't need an indexing capability, so we have also included a 'Forwarding license' in the download package. This is a 1MB, perpetual Enterprise license that will enable all features, like security, distributed search and deployment server, but will not all for any indexing. You can also use this license on search head instances.

Lastly, there is the perpetual, 500MB, free license. You can apply this to your forwarders also, and they will work just fine if all you want to do is forward data, but none of the other features will be enabled - the most important of which is security.

To resolve the messages you are seeing, simply update the $SPLUNK_HOME/etc/splunk.license file with either the free or the forwarder license, and recycle your instances.

Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...