Installation

search disabled because of license violation. How to enable them back after importing the new license?

asingla
Communicator

As we are evaluating splunk for out project, I was running the splunk with the free trial license (500MB/day). I violated the license during data sizing and search got disabled. Now we got another trial license from splunk (20GB/day) for a month. After adding that license, those error message about violations are not going away and search is still disabled. How to enable those features back?

1 Solution

jbsplunk
Splunk Employee
Splunk Employee

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations

Violations occur when you exceed the maximum indexing volume allowed for your license. If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license and search will be disabled. Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply a temporary reset license (available for Enterprise only). To obtain a reset license, contact sales or support. The license comes with instructions on how to apply it.

Note: Summary indexing volume is not counted against your license.

If you get a violation warning, you have until midnight (going by the time on the license master) to resolve it before it counts against the total number of warnings within the rolling 30-day period.

During a license violation period:

Splunk does not stop indexing your data. Splunk only blocks search while you exceed your license.
Searches to the _internal index are not disabled. This means that you can still access the Indexing Status dashboard or run searches against _internal to diagnose the licensing problem. 

View solution in original post

priyohw
Explorer

you can do re indexing which will destroy your current index.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

adding a new license will not clear violations. If you were already in a state where search is disabled, a license reset or 30 day wait would be required.

lguinn2
Legend

After you added the new license, did you restart Splunk?

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations

Violations occur when you exceed the maximum indexing volume allowed for your license. If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license and search will be disabled. Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply a temporary reset license (available for Enterprise only). To obtain a reset license, contact sales or support. The license comes with instructions on how to apply it.

Note: Summary indexing volume is not counted against your license.

If you get a violation warning, you have until midnight (going by the time on the license master) to resolve it before it counts against the total number of warnings within the rolling 30-day period.

During a license violation period:

Splunk does not stop indexing your data. Splunk only blocks search while you exceed your license.
Searches to the _internal index are not disabled. This means that you can still access the Indexing Status dashboard or run searches against _internal to diagnose the licensing problem. 

jbsplunk
Splunk Employee
Splunk Employee

Glad to hear you were able to resolve this with Support. Please feel free to accept the answer and upvote it if you found it to be helpful.

0 Karma

asingla
Communicator

Got the reset license by raising a ticket with splunk support.

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...