- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have the splunk LWF service installed on 100 (ish) vm's that should all be passing traffic to our indexers. All the vm's we've checked are getting the following message:
tail /opt/splunk/var/log/splunk/splunkd.log 09-09-2010 08:06:02.877 ERROR LicenseManager - License expired or over limit. Blocking search until this is resolved.
License usage on the indexer is within compliance:
Product: Enterprise Days remaining: 99928 days License level: 2,048 MB Peak usage: 1,443.369 MB Expiration date: Apr 12, 2284 12:56:11 PM License violations:
I was under the impression that LWF daemons did not require licenses?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Every Splunk instance needs 'some' kind of license to run, but not every instance requires an indexing license. Please read the information here so that you are familiar with the various types of license - http://www.splunk.com/base/Documentation/latest/Installation/AboutSplunklicenses
The first time Splunk is installed, it will use the 'Enterprise Trial' license that is bundled with the download package. This is usually valid for between 30 and 60 days.
For forwarders, you generally don't need an indexing capability, so we have also included a 'Forwarding license' in the download package. This is a 1MB, perpetual Enterprise license that will enable all features, like security, distributed search and deployment server, but will not all for any indexing. You can also use this license on search head instances.
Lastly, there is the perpetual, 500MB, free license. You can apply this to your forwarders also, and they will work just fine if all you want to do is forward data, but none of the other features will be enabled - the most important of which is security.
To resolve the messages you are seeing, simply update the $SPLUNK_HOME/etc/splunk.license file with either the free or the forwarder license, and recycle your instances.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Every Splunk instance needs 'some' kind of license to run, but not every instance requires an indexing license. Please read the information here so that you are familiar with the various types of license - http://www.splunk.com/base/Documentation/latest/Installation/AboutSplunklicenses
The first time Splunk is installed, it will use the 'Enterprise Trial' license that is bundled with the download package. This is usually valid for between 30 and 60 days.
For forwarders, you generally don't need an indexing capability, so we have also included a 'Forwarding license' in the download package. This is a 1MB, perpetual Enterprise license that will enable all features, like security, distributed search and deployment server, but will not all for any indexing. You can also use this license on search head instances.
Lastly, there is the perpetual, 500MB, free license. You can apply this to your forwarders also, and they will work just fine if all you want to do is forward data, but none of the other features will be enabled - the most important of which is security.
To resolve the messages you are seeing, simply update the $SPLUNK_HOME/etc/splunk.license file with either the free or the forwarder license, and recycle your instances.
