Monitoring Splunk

Licence free exceeded limit

novoferm
New Member

Hello,

I just have 4 servers in my splunk forwarder configuration and I exceeded the free licence.

I would like configure my server to use just a free licence but no exceed the limit.

Can you help me for this configuration please.

Best regards.

Tags (3)
0 Karma

chimell
Motivator

Hi novoferm
For understand this let read Splunk-6.1.1-Admin manual
p93 (Free License)
P110 (What About Violations and Warnings)
P112 (How To Avoid License Violation and correcting License warning)

NOTE : Search this manual in splunk Documentation

novoferm
New Member

Hello,

Searching is locked yet after 2 days waiting.

How many time is the lock time?

best regards

0 Karma

rwissSLNL
Engager

Hello,

It takes 30 days to release the lock from the search.

Best regards

0 Karma

novoferm
New Member

It's possible to unlock before the 30 days?

0 Karma

rwissSLNL
Engager

With a normal license you can request a reset license from Splunk.
But because you use a free license Splunk will not give a reset key.

Best solution is to buy a license key.

0 Karma

novoferm
New Member

OK thanks.

I will wait 30 days.

Best regards

0 Karma

novoferm
New Member

Hello,
Sorry I have read the manual but I can't resolve my licence problem.
Could you help me please, to install again a free licence without exceed this limit.

0 Karma

aweitzman
Motivator

The quick answer is that it is your job to ensure that you don't send too much data to Splunk and go over the free license limit. Splunk will not do it for you, and there is no way to configure it (easily) to make it so that it does.

Part of it might be you doing some regular monitoring, and shutting things off when they get too chatty. Part of it might be reducing the number of your inputs. Part of it might be writing some props/transforms configuration stanzas to reduce the size of the inputs you are taking in. Part of it might be setting up multiple Splunk servers with free licenses and directing your traffic so that none of them goes over. But there is no way to tell Splunk, "Stop indexing at the free license limit."

0 Karma

novoferm
New Member

OK thank you for your answer.
I have reduced the number of logs in the inputs file.
Now i have just 2 servers which send the windows event log to splunk forwarder.

[WinEventLog://Application]
disabled = 1
[WinEventLog://Security]
disabled = 1
[WinEventLog://System]
disabled = 0

I think that the licence limit will be good now.

And I wait that Splunk unlock the seach task? Or I must change anything else?

Thank you a lot.

0 Karma

aweitzman
Motivator

Yes, once you're locked out of searching, you either need to pay for a license or wait until the lock time is over in order to search again.

0 Karma

novoferm
New Member

OK thank you.

0 Karma

novoferm
New Member

Thank you for your answer.
I'll read the manuel now

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...