Installation

search disabled because of license violation. How to enable them back after importing the new license?

asingla
Communicator

As we are evaluating splunk for out project, I was running the splunk with the free trial license (500MB/day). I violated the license during data sizing and search got disabled. Now we got another trial license from splunk (20GB/day) for a month. After adding that license, those error message about violations are not going away and search is still disabled. How to enable those features back?

1 Solution

jbsplunk
Splunk Employee
Splunk Employee

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations

Violations occur when you exceed the maximum indexing volume allowed for your license. If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license and search will be disabled. Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply a temporary reset license (available for Enterprise only). To obtain a reset license, contact sales or support. The license comes with instructions on how to apply it.

Note: Summary indexing volume is not counted against your license.

If you get a violation warning, you have until midnight (going by the time on the license master) to resolve it before it counts against the total number of warnings within the rolling 30-day period.

During a license violation period:

Splunk does not stop indexing your data. Splunk only blocks search while you exceed your license.
Searches to the _internal index are not disabled. This means that you can still access the Indexing Status dashboard or run searches against _internal to diagnose the licensing problem. 

View solution in original post

priyohw
Explorer

you can do re indexing which will destroy your current index.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

adding a new license will not clear violations. If you were already in a state where search is disabled, a license reset or 30 day wait would be required.

lguinn2
Legend

After you added the new license, did you restart Splunk?

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations

Violations occur when you exceed the maximum indexing volume allowed for your license. If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license and search will be disabled. Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply a temporary reset license (available for Enterprise only). To obtain a reset license, contact sales or support. The license comes with instructions on how to apply it.

Note: Summary indexing volume is not counted against your license.

If you get a violation warning, you have until midnight (going by the time on the license master) to resolve it before it counts against the total number of warnings within the rolling 30-day period.

During a license violation period:

Splunk does not stop indexing your data. Splunk only blocks search while you exceed your license.
Searches to the _internal index are not disabled. This means that you can still access the Indexing Status dashboard or run searches against _internal to diagnose the licensing problem. 

jbsplunk
Splunk Employee
Splunk Employee

Glad to hear you were able to resolve this with Support. Please feel free to accept the answer and upvote it if you found it to be helpful.

0 Karma

asingla
Communicator

Got the reset license by raising a ticket with splunk support.

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...