Security

Licencing Alert - Daily indexing volume limit exceeded. Error in 'UnifiedSearch': Your Splunk license expired or you have exceeded your license limit too many times

shannongroup
Explorer

Hi I checked splunk today to find the following error, however I did not exceed any quota's. I had a trial licence and today switched to a free licence. I've read other posts about this and have seen I would have to wait 30 days for the violations to clear. This is not right?
Can this be rectified?

alt text

alt text

Tags (1)
0 Karma

shannongroup
Explorer

I have not violated any quota's ?

As you can see in the image, the three violations are for exceeding 0 bytes and in Trial ? not 500MB in free !!

This is beyond ridiculous

Can I have these restriction removed ?

alt text

0 Karma

shannongroup
Explorer

I only saw the alert yesterday ? It instructed me to apply the free licence, which I did and I restarted splunk.
I received the errors shown above the same moment I changed to the free licence. To me it looks like I'm getting a warning for a few day that my licence is about to expire, it expires and for 3 days I exceed 0 bytes and the violations are imposed.

The data I ingest is tiny, maybe 2-3 MB a day max, today for example only 1 MB has been ingested. There is no way I have violated the terms and conditions. This is not a good advertisement for the product.

Can these violation be removed or will I have to wait 30 days ??

0 Karma

nikita_p
Contributor

Hi,
Splunk Enterprise Trial gives you access to a number of features that are not available in Splunk Free. When you switch, be aware of the following:

  • User accounts or roles that you created no longer work.
  • Anyone connecting to the instance will automatically be logged on as admin. You will no longer see a login screen, though you will see the update check occur.
  • Any knowledge objects created by any user other than admin (such as event type, transaction, or source type definitions) and not already globally shared will not be available. If you need these knowledge objects to continue to be available after you switch to Splunk Free, you can do one of the following:
  • Use Splunk Web to promote them to be globally available before you switch. See Manage app and add-on objects.
  • Hand edit the configuration files they are in to promote them. See App architecture and object ownership.
  • Any alerts you defined no longer trigger. You no longer receive alerts from Splunk software. You can still schedule searches to run for dashboards and summary indexing purposes.
  • Configurations in outputs.conf to forward to third-party applications in TCP or HTTP formats do not work.

When you switch to splunk free from a Trail Enterprise license follow the steps below:

  1. Log in to Splunk Web as a user with admin privileges and navigate to Settings > Licensing.

  2. Click Change license group at the top of the page.

  3. Select Free license and click Save.

  4. You are prompted to restart.

You can also go through the link of splunk documentation below:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/HowSplunklicensingworks

0 Karma

shannongroup
Explorer

Thanks Nikita,
My point is I have switched to the Free Licence, and now my data won't display. I have not exceeded any quota's and have only received this error since my Enterprise licence had expired before I moved over to the free.

This violation is because I exceeded quota's on an expired licence ?? That can't be correct, the licence had expired.

Can you reset my voilations on this free Licence ? They are unfair

0 Karma

nikita_p
Contributor

You were getting this alerts before you moved to free license right?
If yes, then have you restarted your Splunk service after uploading free license?
And are you getting this violations alerts as soon as you have uploaded free license or after some days because you can ingest only 500 MB data per day and in free license only three violations are allowed after that even your free license will expire.

0 Karma

dkeck
Influencer

Hi,
if you had a enterpirse license you could ask for a nonenforcement licence, since this is a free license you will have to wait 30 days.

0 Karma

shannongroup
Explorer

I haven't exceeded any quota's, I just didn't have an active free licence? I was under the impression that after the 15 days of enterprise, it would change to the free licence. I signed in to see my dashboard blank and changed to the free licence straight away.

I don't think this is a justified violation.

0 Karma

dkeck
Influencer

I would advice to contact splunk support to reactivate you license.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...