I have screenshots to share- but I'm apparently only allowed 2 posts per day. This is ridiculous.
What upgrade option? You mean not free? I'm still considering it when my trial ran out. I was under the impression that Splunk was free for a very small environment - like mine. It's a bit concerning that right out of the gate it flat out doesn't work.
version upgrade, though license upgrade is always an option. If you're not using the latest version then i recommend upgrading the version. i sympathize w/you but i assure you it does work "out of the gate".
I did download and install the latest version yesterday after the license didn't work. It made no difference.
All I know is that In my environment, I followed the instructions, did a straightforward install of SplunkLight, used it successfully, the trial expired, and attempted to convert to free mode... and it does not work because of a license error. Seems like a license error should be pretty easy to diagnose/repair.
It won't let me post screenshots here - I'm out of Karma for the day... and I can't paste the text output because it's too long. Is there not a better place we can chat back and forth?
You should still be able to perform searches on Splunk's own internal data sources, even if general indexes/sources are not available.
Try this to look at where your data sources are:
index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput | timechart span=1d sum(kb) by series | addcoltotals | addtotals
The resulting table should show you on a daily basis what is causing your excess.
Also you need to be aware that access to the general data will remain blocked as long as 3 or more days of excess remain in a window of the last 30 days. With the Enterprise licence this 5 excess days, which could explain why things broke when you switched to the Free licence - if the licence was expired by 4 days you would have exceeded a cap of zero by 4 days, but the interface would still work. On switching to free you only have a leeway of 2 over-capacity days in 30, which would cause you to be excluded from general data. The only solution to that is to address the excessive data, and then wait until the window is no longer exceeded - worst case scenario, 28 days.
Thank you for the responses -
The root problem here was that Splunk Light Trial does not automatically turn into Splunk Free.
So when the trial on Splunk Light ends, it basically goes into non-compliance and locks itself out. So it is an overage - but the limit is 0 - so after any data comes in - lockdown mode.
The only way to fix this is to wait 30 days (I think it's that long) - or contact support and get a reset-license-violation license key. They provided this to me.
Then I had to run this at the command line to get Splunk into free mode:
(for Windows I had to first CD to C:\Program Files\Splunk\bin)
splunk edit licenser-groups Lite_Free -is_active 1
Not a straightforward process - but they were nice enough to help me get the free version running. You would think there would a a button on the license page to simply fix this. But since it's free I won't complain! I appreciate having this powerful tool for free.