Splunk Enterprise
Highlighted

License Expired

Path Finder

I was using SplunkLight in trial mode and the license expired.

I'm only collecting syslog from a few small devices well under <100MB/day. So we're talking a very small environment here.

I received a message upon logon that the license expired. I clicked a message to convert to free mode, and now I seem to be locked out of any searches because of license violations.

I don't understand the license violation because the free version has 500MB/day - and I'm a fraction of that.

Here's a screenshot of the licensing page. How do I fix this? Thanks in advance.

alt text

Tags (2)
0 Karma
Highlighted

Re: License Expired

Splunk Employee
Splunk Employee

When you switched to Light Free mode, did you restart Splunk Light?
Can you put the output of following commands (assuming Linux):

$SPLUNK_HOME/bin/splunk list licenser-groups

and

$SPLUNK_HOME/bin/splunk list licenser-pools
0 Karma
Highlighted

Re: License Expired

Path Finder

Thanks for the responses.

I did restart Splunk after switching to free mode. I also rebooted the server for good measure (twice!)

I am running on Windows. But here are the outputs of the commands from the CLI:

splunk list licenser-groups

    Enterprise
            is_active:0
            stack_ids:

    Forwarder
            is_active:0
            stack_ids:
                    forwarder

    Free
            is_active:0
            stack_ids:
                    free

    Lite
            is_active:0
            stack_ids:
                    lite

    Lite_Free
            is_active:1
            stack_ids:
                    lite_free

splunk list licenser-pools

 auto_generated_pool_forwarder
         description:auto_generated_pool_forwarder
         effective_quota:1048576
         quota:MAX
         slaves:
         stack_id:forwarder
         used_bytes:0

 auto_generated_pool_free
         description:auto_generated_pool_free
         effective_quota:524288000
         quota:MAX
         slaves:
         stack_id:free
         used_bytes:0

 auto_generated_pool_lite
         description:auto_generated_pool_lite
         effective_quota:0
         quota:MAX
         slaves:
         stack_id:lite
         used_bytes:0

 auto_generated_pool_lite_free
         description:auto_generated_pool_lite_free
         effective_quota:511705088
         quota:MAX
         slaves:
         stack_id:lite_free
         used_bytes:49634610

In regards to the error log, what is the best way to review this in Windows?

0 Karma
Highlighted

Re: License Expired

Splunk Employee
Splunk Employee

also, could you check for ERROR's in the logs?...

cd $SPLUNK_HOME/var/log/splunk ; grep ERROR *

0 Karma
Highlighted

Re: License Expired

Path Finder

How do I check for errors in the Windows version?

0 Karma
Highlighted

Re: License Expired

Splunk Employee
Splunk Employee

ugh, well there's no "grep" in windows but i'm pretty sure $SPLUNK_HOME/var/log/splunk is still there. i'm not much of a windows user but i think the explorer has some "find in file" functionality. Also, if you're not running the latest version of SL then i'd recommend upgrading.

0 Karma
Highlighted

Re: License Expired

Path Finder

Thanks.

My searches show a handful of errors in a few different log files. However, they are all before this licensing problem, and seem unrelated to licensing.

So - I don't see any errors in any log files that seem related to licensing. Is there a particular log file that would be helpful to analyze?

0 Karma
Highlighted

Re: License Expired

Splunk Employee
Splunk Employee

splunkd.log would be the likely place imo. You could also try this search: "index=_internal ERROR"

0 Karma
Highlighted

Re: License Expired

Path Finder

Thanks. Narrowing it down to 1 log file vs. a directory full of log files is helpful.

There are very few ERROR matches - none with anything close to "internal" nearby.

Here are all the entries from the splunkd.log file today:

06-02-2016 00:00:00.287 -0500 INFO  LMStackMgr - should rollover=true because _lastRolloverTime=1464757200 lastRolloverDay=1464757200 snappedNow=1464843600
06-02-2016 00:00:00.287 -0500 INFO  LMStackMgr - finished rollover, new lastRolloverTime=1464843600
06-02-2016 00:00:28.287 -0500 INFO  LMSlaveInfo - Detected that masterTimeFromSlave(Wed Jun 01 23:59:28 2016) < lastRolloverTime(Thu Jun 02 00:00:00 2016), meaning that the master has already rolled over. Ignore slave persisted usage.
06-02-2016 00:16:07.602 -0500 INFO  WatchedFile - Will begin reading at offset=0 for file='C:\Program Files\Splunk\var\log\splunk\audit.log'.
06-02-2016 03:15:58.350 -0500 INFO  BucketMover - will attempt to freeze: candidate='C:\Program Files\Splunk\var\lib\splunk\_introspection\db\db_1463645744_1463042039_3' because frozenTimePeriodInSecs=1209600 is exceeded by the difference between now=1464855358 and latest=1463645744
06-02-2016 03:15:58.366 -0500 INFO  DatabaseDirectoryManager - idx=_introspection Writing a bucket manifest in hotWarmPath='C:\Program Files\Splunk\var\lib\splunk\_introspection\db', pendingBucketUpdates=0 .  Reason='Removing bucket, bid=_introspection~3~7DC151F2-F7FF-4C9F-9D41-FF45B6DA353D'
06-02-2016 03:15:58.491 -0500 INFO  BucketMover - AsyncFreezer freeze succeeded for bkt='C:\Program Files\Splunk\var\lib\splunk\_introspection\db\db_1463645744_1463042039_3'
06-02-2016 03:15:59.288 -0500 INFO  DatabaseDirectoryManager - idx=_introspection Writing a bucket manifest in hotWarmPath='C:\Program Files\Splunk\var\lib\splunk\_introspection\db', pendingBucketUpdates=0 .  Reason=' frozen_buckets'
06-02-2016 06:59:42.116 -0500 INFO  WatchedFile - Checksum for seekptr didn't match, will re-read entire file='C:\Program Files\Splunk\var\log\splunk\metrics.log'.
06-02-2016 06:59:42.116 -0500 INFO  WatchedFile - Will begin reading at offset=0 for file='C:\Program Files\Splunk\var\log\splunk\metrics.log'.
06-02-2016 06:59:42.163 -0500 INFO  WatchedFile - Will begin reading at offset=24991320 for file='C:\Program Files\Splunk\var\log\splunk\metrics.log.1'.
0 Karma
Highlighted

Re: License Expired

Splunk Employee
Splunk Employee

really only looking for "ERROR" log entries, not "INFO". Also note that the search: "index=_internal ERROR" is a directive to show all "ERROR" events from the _internal index.

What about that upgrade option?

0 Karma