I'm a 19 year old student who just installed Splunk yesterday, so please don't be afraid to assume I hardly know anything.
Here's my computer specs, if needed:
Lenovo X220T Convertible Tablet
i7 2620M 2.7GHz
Samsung SSD 830 Series
64-bit Windows 7
Splunk 5.0.1 x64
If the picture doesn't show above, I have two pool warnings and one permanent license warning. With my limited understanding, I believe that if I get three permanent warnings, my "Search" app is disabled until I have less than three permanent warnings in the last thirty days. Indexing doesn't stop during that time, however, and I think I would still be able to view dashboards.
I went here
to try and figure out how to uninstall the Browsing history app, because it appears as though that app is responsible for exceeding my 500MB per day limit. I don't want this app anymore, let alone need it. I just wanted to try it out yesterday without any idea that it could cause this problem. Unfortunately, I don't understand how to execute the code instructions they give - am I to enter this in my browser, command prompt, or go to the file directory in windows explorer? I tried going to
C:\Program Files\Splunk\etc\apps with no luck in finding the Browsing history app folder.
I also went here
because it seems as though my problem isn't the app, it's the indexing of MB of information that the app uses. So uninstalling the app wouldn't stop the indexing, and therefore wouldn't solve my Permanent-warnings-exceeding-three-in-a-thirty-day-period problem.
Can someone tell me what I'm doing wrong, or provide a more detailed step by step approach to removing an index and an app in laymen's terms?
Since the data has already been indexed, removing it from the system won't help with the licensing. It may also be that the App found everything, indexed it, and will now never exceed the 500MB limit because it only does incremental from that point. This particular app "installs" under a "browsers" folder. Depending on where you installed it from (Splunk GUI vs Download direct) will also dictate where on the actual filesystem it resides. You can disable the App via the GUI as mentioned above. You can also disable it by using
app.conf in the
$APP_HOME\default of the app.
C:\Program Files\Splunk\etc\apps should be the correct location of the "browsers" folder you seek. Those commands you reference should be run via CLI from the
C:\Program Files\Splunk\bin folder. There is where the splunk executable lives.
If, within a span of one month, you exceed your bandwidth 3 times indexing will happen but searches won't work; dashboards usually invoke saved searches that's why they won't load.
If you still get data indexed then you could re-install the forwarder with default settings or look for the inputs.conf file in your forwarder client installation path and amend what's defined there.
Also check the inputs defined through splunk web
As far as I know you can't request a reset of your license unless you're using the Enterprise edition of Splunk. But it seems you only have one warning so you are good