As we are evaluating splunk for out project, I was running the splunk with the free trial license (500MB/day). I violated the license during data sizing and search got disabled. Now we got another trial license from splunk (20GB/day) for a month. After adding that license, those error message about violations are not going away and search is still disabled. How to enable those features back?
Violations occur when you exceed the maximum indexing volume allowed for your license. If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license and search will be disabled. Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply a temporary reset license (available for Enterprise only). To obtain a reset license, contact sales or support. The license comes with instructions on how to apply it.
Note: Summary indexing volume is not counted against your license.
If you get a violation warning, you have until midnight (going by the time on the license master) to resolve it before it counts against the total number of warnings within the rolling 30-day period.
During a license violation period:
Splunk does not stop indexing your data. Splunk only blocks search while you exceed your license. Searches to the _internal index are not disabled. This means that you can still access the Indexing Status dashboard or run searches against _internal to diagnose the licensing problem.
Got the reset license by raising a ticket with splunk support.
Glad to hear you were able to resolve this with Support. Please feel free to accept the answer and upvote it if you found it to be helpful.
adding a new license will not clear violations. If you were already in a state where search is disabled, a license reset or 30 day wait would be required.
you can do re indexing which will destroy your current index.