Why does slave have no matching license pool for t...

MT1234 · ‎01-17-2023

Hello,

I am new to Splunk and have testing purpose. I have installed Splunk within 30 days and installed the ITE content pack recently.

I got below error when searching. I found that the document said that searching will be disabled when there are five or more alerts.

But I don't know why my usage is full?

Error in Search:

Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK.

Licensing Alert:

slave had no matching license pool for the data it indexed

Licensing Alert from CLI:

4565f4ac328ca2cebf5d54342bd63c99
category:orphan_peer
create_time:1673625600
description:slave had no matching license pool for the data it indexed
peer_id:FDE1BB3F-01D3-4B27-B0FB-19AAE1CD27A0
severity:WARN
slave_id:FDE1BB3F-01D3-4B27-B0FB-19AAE1CD27A0

Appreciate for any help.

MT1234 · ‎01-19-2023

I found that after I installed ITE Work. It removed/override the trial enterprise license in Splunk.

I can see the trial license file in /opt/splunk/etc/licenses folder, but I cannot see in Splunk web/CLI.

As a result, it does not have license for * source type.

Does ITE Work can not use with trial license?

Thank you.

Why does slave have no matching license pool for the data it indexed?

using Splunk Enterprise

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...