Splunk Search

Free License Violation - How to Fix and Prevent Recurrence


My enterprise trial ended last week and I am now Free license.
I cant search because it said I have too many violations in the last 5 days.
I was under the impression the free version would only index 500MB and then stop, I didnt know I had to manage it.

So 2 questions:

1) How do I allow search results again?

2) How do I prevent a recurrence? I have no idea how to determine how much data will come in on a given day? What can I do?


On the free license you are allowed 3 violations in a rolling 30 day period. If you exceed this then you lose the ability to search. The logic is simply that most businesses would rather be able to keep saving the data and lose the ability to search.
If you cannot predict when you will have spikes over 500mb and its likely to be more than 3 times in a rolling 30 day period then you need to purchase an enterprise license.

To regain search you need to go without violations for 30 days or just do a clean install and migrate your old configs and indexes over.

For reference, the detail about free license is here;

Also its worth mentioning that Splunk will show a warning at the top of the screen each time you have a violation, sadly it does mean that you need to monitor your usage but they have tools to allow you to do that through the deployment monitor or an app called the real time license usage app or something along those lines (by Genti)

EDIT2: Oh and one more thing!
It is the case in alot of setups that Splunk indexes everything it is sent but perhaps you only need 70% of that data, perhaps there is some information that is sent by default that you don't want/need. You can route it to the "nullQueue". Basically instead of indexing the data it will dump it based on a rule, for more detail on how to set that up read here;

Splunk Employee
Splunk Employee

There are some example of schedules searches to alert by email when a new violation is recorded, http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

but scheduling is an enterprise feature, not available on splunk free 😞

So the way to go :
- buy a splunk enterprise license, and get a reset key from support.
- or reinstall a new trial instance and migrate your data... every 30 days.
- limit the data volume