from the documentation:
"If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have 5 or more violations on an Enterprise license or 3 violations on a Free license in a rolling 30-day period, search will be disabled. Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) violations in the previous 30 days or when you apply a new license with a larger volume limit.
Note: During a license violation period, Splunk does not stop indexing your data. Splunk only blocks access while you exceed your license.
Note: Searches to the _internal index are not disabled even during a licensing-enforcement period, so you can still access the Indexing Status dashboard, or run searches against _internal to diagnose the licensing problem. "
so: you can exceed your Enterprise license 4 times within 30 days--the 5th time, search will be disabled. You can exceed your Free licenses 2 times, and the 3rd time, search will be disabled.
You should try contacting sales to see if they can offer you a larger license for your evaluation. The licenses have a time out so if you are legitimately evaluating, I don't see why they wouldn't offer you the bigger license.
are they serious? Instead of penalizing us for using the trial when it accidently goes over the limit, shouldnt they instead just stop indexing at the limit???
I had this problem as we went way over after first adding our servers due to historical data. We have been supplied a larger licence which I have applied however it still wont let us carry out any searches now.
Is there anyway to reset this?
I am new to Splunk and I am trying to understand forwarders. I ran my first test and I imported 65,000 null values with a timestamp, guid and shot over the limit.
Why not create a single user version in trial mode for a month at least I could test the forwarders without it hurting my indexing dont know if I said that right because I really dont understand what counts as a index.
Also I have years of historical data why not give us the ability to import that data over time so we dont go over the index in a given day.
Is a index a search index, a import index, a row index. Not sure.