Splunk Enterprise

Indexers frequently going to internal indexes only due to errant License Expired messages

briancronrath
Contributor

For the past couple weeks I will at least once per day have one of our indexers go into internal logs only mode, and the reason it states is that License is expired.  It's a bogus message since the license definitely is not expired and also not even close to exceeded, and restarting splunk service on the indexer always clears the error.  Unfortunately not much more is provided by the splunk logs that would indicate anything I can investigate.

Has anyone ever ran into similar, or might know where I can look to troubleshoot this further?  It's making my life pretty tough because I have to constantly be restarting indexers due to this error.

Labels (1)
0 Karma

kiran_panchavat
Contributor

@briancronrath 

I would request you to contact Sales team to get a temporary reset license.

0 Karma

kiran_panchavat
Contributor

@briancronrath

Your splunk deployment is encountering license enforcement restrictions because of that you were not able to search the data from the indexers.

License Enforcement: This means Splunk is enforcing limits based on your current license.

45 warnings: You've received 45 warnings for exceeding your limit within a 60-day window.

Search disabled: If you receive 45 more warnings, search functionality will be disabled.

 

Possible Causes:

 

Data Ingestion: You might be ingesting more data than your license allows.

License Type: Your current license might not accommodate your data volume or usage needs.

License Pool Quota: If using a license pool, a specific member exceeding its quota could trigger warnings.

License Enforcement.png

0 Karma

kiran_panchavat
Contributor

Could you kindly paste the screenshot of the precise error you are receiving?

0 Karma

briancronrath
Contributor

briancronrath_0-1708536121591.png

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...