Splunk Search

Issue with searches and free version

Am
Explorer

Hello,

Two months ago we had the trial for the Enterprise version but now we are using the free version. Since the free version was selected we're prompted with an error, and we can't solve it.

The error when we try to do a new search is the following:
"Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK."

Any ideas? It'd be nice not reinstalling the whole platform as the data stored is needed.

 

Thanks in advance

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Am,

At first, are you working on Linux or Windows?

if you're working on Linux and your installation was Ok before the block, you can follow these steps:

  • copy all the $SPLUNK_HOME/etc/apps folder in another temp folder,
  • See what's the Splunk version you have;
  • stop the Splunk service (/opt/splunk/bin/splunk stop);
  • delete all the Splunk folder;
  • install from scratch the same version of Splunk (https://docs.splunk.com/Documentation/Splunk/8.1.3/Installation/Beforeyouinstall);
  • stop the new instance;
  • copy the saver folder on the same folder of the new installation;
  • restart Splunk.

In this way, you have the old installation for the next two months, with the same limitation: 500 MB/day and two exceeding in 30 solar days.

About Data Inputs, they depends on the sources, my hint is to use standard Apps and Technical Add-ons (TAs) from Splunkbase, for AD, see  https://splunkbase.splunk.com/app/1680/ the Splunk App for Windows Infrastructure following all the instructions, especially TAs' installations (https://docs.splunk.com/Documentation/MSApp/latest/MSInfra/AbouttheSplunkAppforMSInfrastructure).

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Am,

when' you're using the Free License, you can index until to 500 MB/day.

If you exceed this value more than 2 times in 30 solar days, you're in violation and your Splunk instance continue to index your data but all searches are blocked (except the ones on internal indexes).

For more infos, see at https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/Aboutlicenseviolations

To have a new Trial installation, if you installed on Unix, you have to delete your instance and reinstall it.

On Windows this solution isn't applicable.

You can save the apps configurations copying the $SPLUNK_HOME/etc/apps folder before deleting and overriding it in the new installation.

Obviously this isn't a solution!

The correct approach is to identify your need in terms of license consuption and then buy the license!

In addition, using the Free License you have also a limitated set of features.

Ciao.

Giuseppe

0 Karma

Am
Explorer

Hi!

Thanks for your fast answer. Since we're trying to understand how the platform works and performs in our environment, we're using the free version for now, it will be of course upgraded in case we finally decide to use it in our enterprise.

Now we have another issue, we don't know how to reinstall Splunk and add the data inputs so, is there any guide decently explained for beginners about installing Splunk and adding data inputs such as AD in order for us to follow ?

Many thanks.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Am,

At first, are you working on Linux or Windows?

if you're working on Linux and your installation was Ok before the block, you can follow these steps:

  • copy all the $SPLUNK_HOME/etc/apps folder in another temp folder,
  • See what's the Splunk version you have;
  • stop the Splunk service (/opt/splunk/bin/splunk stop);
  • delete all the Splunk folder;
  • install from scratch the same version of Splunk (https://docs.splunk.com/Documentation/Splunk/8.1.3/Installation/Beforeyouinstall);
  • stop the new instance;
  • copy the saver folder on the same folder of the new installation;
  • restart Splunk.

In this way, you have the old installation for the next two months, with the same limitation: 500 MB/day and two exceeding in 30 solar days.

About Data Inputs, they depends on the sources, my hint is to use standard Apps and Technical Add-ons (TAs) from Splunkbase, for AD, see  https://splunkbase.splunk.com/app/1680/ the Splunk App for Windows Infrastructure following all the instructions, especially TAs' installations (https://docs.splunk.com/Documentation/MSApp/latest/MSInfra/AbouttheSplunkAppforMSInfrastructure).

Ciao.

Giuseppe

Am
Explorer

Hi @gcusello ,

Thanks again for your answers.

The installation went smoothly, and now we're facing the issue with the input data received from an AD, the Universal Forwarder had been already installed in the AD machine before reinstalling the Splunk. The configuration it had was correct and the logs were received correctly, but now they aren't. Did reinstalling the Splunk Software change the configuration in any way which made the forwarder to stop sending data ?

The Splunk is installed in a Linux machine.

Any info would be appreciated.

Thanks !

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Am,

at first check  if you're receiving logs from that host, you can check this at first on internal logs and then on other logs.

If you aren't receiving any logs (also internal),  at first check if you enabled receiving in Splunk Enterprise and then check if the hostname or ip of the Splunk server is the same and if it's correctly configured in ths UF.

If instead you're receiving internal logs from that host, check if you're receiving other logs from that server.

If you don't receinve any log (except internal) check the TAs you're using for inputs on UF, if instead you're receiving other logs (not only internal) from that server you have to check other things:

If the input is correctly configurated,

if the logs are indexed in the index you're searching.

If there's an error in parsing: if the timestamp of your logs is in european format (dd/mm/yyyy) must be parsed with the correct TIME_FORMAT, otherwise Splunk uses its default format (mm/dd/yyyy).

Ciao.

Giuseppe

0 Karma

Am
Explorer
 
Ain't sure if we missed any step, the thing is, the UF was already installed in the AD machine, so could it be that the AD machine is sending the logs correctly to the Splunk machine, but the last doesn't then have any index set up since the reinstallation ? If so (or otherwise and we're missing some point) is there any step by step guide on how to set up an indexer to receive the logs ?
 
Many thanks.
 
 
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Am,

as I said, check if you're receiving internal logs, if yes the connection is OK, if not check if receiving is enabled [Settings -- Forwarding and Receiving -- Receiving] on the Splunk Server.

for more infos see at https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/Usingforwardingagents#:~:text=Download%20Spl....

Remember always that Splunk documentation is really fantastic and you can always find the solution for your problems.

The last thing is when there's a parsing error, but it comes later, check the situation of logs:

  • have you internal logs from that server,
  • have you other logs from that server.

Ciao.

Giuseppe

0 Karma

Am
Explorer

Hi @gcusello,

We're not receiving any kind of logs, and the receiving is enabled as mentioned in the documentation (which we feel is deep enough, but also a bit tough to start from scratch with). Is there any way to reconfigure the UF in the AD machine ? (In case we mess something up and want to recover the working configuration that was there before).

Thanks !

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Am,

here you can find how to configure an UF to send logs to Splunk https://docs.splunk.com/Documentation/Forwarder/8.1.3/Forwarder/Aboutforwardingandreceiving  , in other words you have to create (if not exists) a file called outputs.conf in $SPLUNK_HOME/etc/system/local and insert in it the following items:

[tcpout]
defaultGroup=my_indexers

[tcpout:my_indexers]
server=<your_splunk_server_hostname_or_ip_address>:9997

[tcpout-server://<your_splunk_server_hostname_or_ip_address>:9997]

<your_splunk_server_hostname_or_ip_address> is the hostname or the Ip address of your Splunk server and 9997 is the port you configurated for receiving.

At the end you must restart Splunk on the UF (without restarting, changes aren't in use!).

You can check that's all ok with a simple search on Splunk:

index=_internal host=<your_splunk_server_hostname>

If you have internal logs, you can start the other check I hinted.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...