Enterprise License Violation

Verity_Partners · ‎02-04-2025

We are a small Managed Service Provider (MSP) currently testing Splunk with a deployment on a Windows 2019 server using a trial version. After adding a remote device and integrating the Fortinet FortiGate App for Splunk, the system functioned well initially. However, the next day, we noticed that the system encountered 5 violations in one night. Subsequently, when accessing the dashboard, we were greeted with the following message:

"Error in 'rtlitsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store."

Is there a way to resolve this issue without performing a full reinstall? Additionally, is there a way to set a limit on the amount of data being indexed to avoid triggering the violation? I have come across references to routing logs to the "nullQueue" and would appreciate feedback from the community on this approach or any other recommended solutions.

Thank you in advance for your help!

kiran_panchavat · ‎02-07-2025

@Verity_Partners

Since you are using a Splunk trial license and hitting the 500 MB daily indexing limit,

1. Disable Unnecessary FortiGate Logs

2. Use props.conf and transforms.conf to drop unwanted events before indexing them. This can be done by defining transforms to filter out unnecessary logs.

3. Since your system is hitting violations overnight, create alerts to notify you before reaching the limit OR Monitor your license usage.

4. If you are using Splunk for testing, apply for a Developer License .

https://dev.splunk.com/enterprise/dev_license/

https://www.splunk.com/en_us/resources/personalized-dev-test-licenses/faq.html

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

livehybrid · ‎02-04-2025

Unfortunately at this point you would need a reset license to remove the lock as it is reporting an enforced limit. You may be able to get this, along with an extended trial by contacting Splunk sales, otherwise unfortunately I think its likely going to be a re-install to start again with a trial license.

Regarding the nullQueue - this is where you could send subsets of data if you wanted to keep only some of the data ingested. It sounds like as you're only using a single source of data that you would find it easier to toggle off the input/source of the datafeed. Data that is sent to nullQueue will not be saved by Splunk.

I hope this helps, even if not necessarily what you were hoping for!

Kind regards

Will

Verity_Partners · ‎02-07-2025

Thank you for your reply.

At this stage, we are testing the system and currently only receiving data from a single device. Our goal is to demonstrate the value of Splunk to our clients so they can begin using it. However, before reaching that point, we need to resolve these types of issues to ensure a smooth production environment where clients can rely on their data being available.

We were able to revert to a previous snapshot, which helped restore the system to a cleaner state. However, I am now focused on finding a solution to prevent the system from hitting the 500 MB index data limit, in order to avoid license violations until we are ready to move to an enterprise license.

Any advice on how to adjust the system or prevent this issue would be greatly appreciated.

Thank you again for your assistance.

Enterprise License Violation

administration

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk