I was using SplunkLight in trial mode and the license expired.
I'm only collecting syslog from a few small devices well under <100MB/day. So we're talking a very small environment here.
I received a message upon logon that the license expired. I clicked a message to convert to free mode, and now I seem to be locked out of any searches because of license violations.
I don't understand the license violation because the free version has 500MB/day - and I'm a fraction of that.
Here's a screenshot of the licensing page. How do I fix this? Thanks in advance.
When you switched to Light Free mode, did you restart Splunk Light?
Can you put the output of following commands (assuming Linux):
$SPLUNK_HOME/bin/splunk list licenser-groups
$SPLUNK_HOME/bin/splunk list licenser-pools
Thanks for the responses.
I did restart Splunk after switching to free mode. I also rebooted the server for good measure (twice!)
I am running on Windows. But here are the outputs of the commands from the CLI:
splunk list licenser-groups
Enterprise is_active:0 stack_ids: Forwarder is_active:0 stack_ids: forwarder Free is_active:0 stack_ids: free Lite is_active:0 stack_ids: lite Lite_Free is_active:1 stack_ids: lite_free
splunk list licenser-pools
auto_generated_pool_forwarder description:auto_generated_pool_forwarder effective_quota:1048576 quota:MAX slaves: stack_id:forwarder used_bytes:0 auto_generated_pool_free description:auto_generated_pool_free effective_quota:524288000 quota:MAX slaves: stack_id:free used_bytes:0 auto_generated_pool_lite description:auto_generated_pool_lite effective_quota:0 quota:MAX slaves: stack_id:lite used_bytes:0 auto_generated_pool_lite_free description:auto_generated_pool_lite_free effective_quota:511705088 quota:MAX slaves: stack_id:lite_free used_bytes:49634610
In regards to the error log, what is the best way to review this in Windows?
ugh, well there's no "grep" in windows but i'm pretty sure $SPLUNK_HOME/var/log/splunk is still there. i'm not much of a windows user but i think the explorer has some "find in file" functionality. Also, if you're not running the latest version of SL then i'd recommend upgrading.
My searches show a handful of errors in a few different log files. However, they are all before this licensing problem, and seem unrelated to licensing.
So - I don't see any errors in any log files that seem related to licensing. Is there a particular log file that would be helpful to analyze?
Thanks. Narrowing it down to 1 log file vs. a directory full of log files is helpful.
There are very few ERROR matches - none with anything close to "internal" nearby.
Here are all the entries from the splunkd.log file today:
06-02-2016 00:00:00.287 -0500 INFO LMStackMgr - should rollover=true because _lastRolloverTime=1464757200 lastRolloverDay=1464757200 snappedNow=1464843600 06-02-2016 00:00:00.287 -0500 INFO LMStackMgr - finished rollover, new lastRolloverTime=1464843600 06-02-2016 00:00:28.287 -0500 INFO LMSlaveInfo - Detected that masterTimeFromSlave(Wed Jun 01 23:59:28 2016) < lastRolloverTime(Thu Jun 02 00:00:00 2016), meaning that the master has already rolled over. Ignore slave persisted usage. 06-02-2016 00:16:07.602 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='C:\Program Files\Splunk\var\log\splunk\audit.log'. 06-02-2016 03:15:58.350 -0500 INFO BucketMover - will attempt to freeze: candidate='C:\Program Files\Splunk\var\lib\splunk\_introspection\db\db_1463645744_1463042039_3' because frozenTimePeriodInSecs=1209600 is exceeded by the difference between now=1464855358 and latest=1463645744 06-02-2016 03:15:58.366 -0500 INFO DatabaseDirectoryManager - idx=_introspection Writing a bucket manifest in hotWarmPath='C:\Program Files\Splunk\var\lib\splunk\_introspection\db', pendingBucketUpdates=0 . Reason='Removing bucket, bid=_introspection~3~7DC151F2-F7FF-4C9F-9D41-FF45B6DA353D' 06-02-2016 03:15:58.491 -0500 INFO BucketMover - AsyncFreezer freeze succeeded for bkt='C:\Program Files\Splunk\var\lib\splunk\_introspection\db\db_1463645744_1463042039_3' 06-02-2016 03:15:59.288 -0500 INFO DatabaseDirectoryManager - idx=_introspection Writing a bucket manifest in hotWarmPath='C:\Program Files\Splunk\var\lib\splunk\_introspection\db', pendingBucketUpdates=0 . Reason=' frozen_buckets' 06-02-2016 06:59:42.116 -0500 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='C:\Program Files\Splunk\var\log\splunk\metrics.log'. 06-02-2016 06:59:42.116 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='C:\Program Files\Splunk\var\log\splunk\metrics.log'. 06-02-2016 06:59:42.163 -0500 INFO WatchedFile - Will begin reading at offset=24991320 for file='C:\Program Files\Splunk\var\log\splunk\metrics.log.1'.
really only looking for "ERROR" log entries, not "INFO". Also note that the search: "index=_internal ERROR" is a directive to show all "ERROR" events from the _internal index.
What about that upgrade option?