Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search disabled because of license violation. How to enable them back after importing the new license?

asingla
Communicator
‎11-14-2011 10:16 AM

As we are evaluating splunk for out project, I was running the splunk with the free trial license (500MB/day). I violated the license during data sizing and search got disabled. Now we got another trial license from splunk (20GB/day) for a month. After adding that license, those error message about violations are not going away and search is still disabled. How to enable those features back?

Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎11-14-2011 10:26 AM

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations

Violations occur when you exceed the maximum indexing volume allowed for your license. If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license and search will be disabled. Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply a temporary reset license (available for Enterprise only). To obtain a reset license, contact sales or support. The license comes with instructions on how to apply it.

Note: Summary indexing volume is not counted against your license.

If you get a violation warning, you have until midnight (going by the time on the license master) to resolve it before it counts against the total number of warnings within the rolling 30-day period.

During a license violation period:

Splunk does not stop indexing your data. Splunk only blocks search while you exceed your license.
Searches to the _internal index are not disabled. This means that you can still access the Indexing Status dashboard or run searches against _internal to diagnose the licensing problem.

View solution in original post

Reply
Solved! Jump to solution

priyohw
Explorer
‎12-07-2011 07:13 PM

you can do re indexing which will destroy your current index.

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎11-14-2011 10:44 AM

adding a new license will not clear violations. If you were already in a state where search is disabled, a license reset or 30 day wait would be required.

Reply
Solved! Jump to solution

lguinn2
Legend
‎11-14-2011 10:41 AM

After you added the new license, did you restart Splunk?

0 Karma
Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎11-14-2011 10:26 AM

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations

Violations occur when you exceed the maximum indexing volume allowed for your license. If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license and search will be disabled. Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply a temporary reset license (available for Enterprise only). To obtain a reset license, contact sales or support. The license comes with instructions on how to apply it.

Note: Summary indexing volume is not counted against your license.

If you get a violation warning, you have until midnight (going by the time on the license master) to resolve it before it counts against the total number of warnings within the rolling 30-day period.

During a license violation period:

Splunk does not stop indexing your data. Splunk only blocks search while you exceed your license.
Searches to the _internal index are not disabled. This means that you can still access the Indexing Status dashboard or run searches against _internal to diagnose the licensing problem.
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎11-14-2011 10:43 AM

Glad to hear you were able to resolve this with Support. Please feel free to accept the answer and upvote it if you found it to be helpful.

0 Karma
Reply
Solved! Jump to solution

asingla
Communicator
‎11-14-2011 10:41 AM

Got the reset license by raising a ticket with splunk support.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...