Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Licensing error reported in splunkd.log on LWF's - "ERROR LicenseManager - License expired or over limit. Blocking search until this is resolved."

mctester
Communicator
‎09-09-2010 03:36 PM

We have the splunk LWF service installed on 100 (ish) vm's that should all be passing traffic to our indexers. All the vm's we've checked are getting the following message:

tail /opt/splunk/var/log/splunk/splunkd.log 09-09-2010 08:06:02.877 ERROR LicenseManager - License expired or over limit. Blocking search until this is resolved.

License usage on the indexer is within compliance:

Product: Enterprise Days remaining: 99928 days License level: 2,048 MB Peak usage: 1,443.369 MB Expiration date: Apr 12, 2284 12:56:11 PM License violations:

I was under the impression that LWF daemons did not require licenses?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Mick
Splunk Employee
Splunk Employee
‎09-09-2010 03:38 PM

Every Splunk instance needs 'some' kind of license to run, but not every instance requires an indexing license. Please read the information here so that you are familiar with the various types of license - http://www.splunk.com/base/Documentation/latest/Installation/AboutSplunklicenses

The first time Splunk is installed, it will use the 'Enterprise Trial' license that is bundled with the download package. This is usually valid for between 30 and 60 days.

For forwarders, you generally don't need an indexing capability, so we have also included a 'Forwarding license' in the download package. This is a 1MB, perpetual Enterprise license that will enable all features, like security, distributed search and deployment server, but will not all for any indexing. You can also use this license on search head instances.

Lastly, there is the perpetual, 500MB, free license. You can apply this to your forwarders also, and they will work just fine if all you want to do is forward data, but none of the other features will be enabled - the most important of which is security.

To resolve the messages you are seeing, simply update the $SPLUNK_HOME/etc/splunk.license file with either the free or the forwarder license, and recycle your instances.

View solution in original post

Reply
Solved! Jump to solution
Solution

Mick
Splunk Employee
Splunk Employee
‎09-09-2010 03:38 PM

Every Splunk instance needs 'some' kind of license to run, but not every instance requires an indexing license. Please read the information here so that you are familiar with the various types of license - http://www.splunk.com/base/Documentation/latest/Installation/AboutSplunklicenses

The first time Splunk is installed, it will use the 'Enterprise Trial' license that is bundled with the download package. This is usually valid for between 30 and 60 days.

For forwarders, you generally don't need an indexing capability, so we have also included a 'Forwarding license' in the download package. This is a 1MB, perpetual Enterprise license that will enable all features, like security, distributed search and deployment server, but will not all for any indexing. You can also use this license on search head instances.

Lastly, there is the perpetual, 500MB, free license. You can apply this to your forwarders also, and they will work just fine if all you want to do is forward data, but none of the other features will be enabled - the most important of which is security.

To resolve the messages you are seeing, simply update the $SPLUNK_HOME/etc/splunk.license file with either the free or the forwarder license, and recycle your instances.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...