So we had an enterprise license for 60 days, after the expiry, we were downgraded to the free version but Splunk stopped indexing/searching our files. Apparently after the license expiry (and some license expiry warning) if you don't upgrade in time, you can't use the product for 30 days even though you were downgraded to the free version and your size limit is well within 500 MB.
This is a major issue for us and i am not sure why Splunk behaves this way. Any pointers on how to get unblocked on this so that we don't have to wait for 30 days would be much appreciated?
That should not be the case. Are you sure this was triggered by the trial licence expiry, and not some other material change. Any Enterprise features you were using will naturally be disabled once the licence is downgraded, but that should not affect basic indexing and searching features. If you blow the 500MB limit 3 times, THEN the searching will shutdown until the exceptions number less than 3 days in the last 30.
I can guarantee yo that it continues to work after a licence downgrade under normal circumstances. I use the free version here, at home. "Can't use" is a very vague term. How does this inability to use it manifest itself?
There are two solutions:-
1) backup your indexes, a clean re-install (and then possibly re-import your indexes), then make sure you don't exceed your cap this time.
2) Buy an enterprise licence.
You can't ignore the warnings and expect nothing to result. One difference between the enterprise and free licence is that free only allows 2 exceptions in 30 days, and will shut you out on the third, whilst the enterprise licence allows 4 and will shut you out on the 5th, which is probably why you have been closed out since the downgrade. The product appears to be behaving exactly as the terms and conditions tell you it will.
How do you know it is no longer indexing? It should continue indexing, even when the search if locked out due to a licence violation. The fact that you had warnings BEFORE the licence expiry suggests that whilst you may not have blown the cap after the expiry, you did beforehand, and as long as those execeptions remain within the last 30 days then you are in violation of the free licence.
Thanks for the response. When i say, it doesn't work, i meant that Splunk stops indexing the file and we can no longer search through the logs. We didn't blow through our cap space of 500 MB, the only thing that happened was we got several licensing warnings leading up to the trial expiry. We ignored that thinking that we'd get downgraded to the free product which did happen just that we were told that there's that 30 day period until which the indexing/searching won't work.