I have installed my first splunk enterprise on a linux server and installed forwarders on windows workstations using the ports as instructed. Firewall is off and selinux off. The forwarders are calling in.
Now perhaps I am missing something in that in splunk, I select search and enter * (or index=anything, there is a long list) and the error is;
The transform ca_pam_login_auth_action_success is invalid. Its regex has no capturing groups, but its FORMAT has capturing group references.
I tried another search, and saw another error;
Error in "litsearch" command: Your splunk license expired (the license is new) or you have exceeded your license limit too many times. Renew your splunk license by visiting www.splunk/com/store or calling 866-GET-SPLUNK.
The search job failed due to an error. You may be able to view the job in the job inspector.
All I want is to understand why FORMAT has capturing group references, but the regex does not and to turn my paperweight into a thriving reporting tool.
Can anyone help? Thank you!
"The transform ca_pam_login_auth_action_success is invalid. Its regex has no capturing groups, but its FORMAT has capturing group references". If I remember correctly, that should be a warning, not error. Which means that on its own it would not break the search completely, it just might just not extract some fields correctly (and might not find events if your search relied on those fields).
The second error means that your license expired. There might be several reasons (depending on the license type and license usage). You can go to Settings -> License to check your license usage and split it by sources and indexes.
Hi @skrampachspl,
the main problem is that you're using a Free license that permits to index until 500 MB/day.
If you exceed this value for three or more days you're in license violation so searches are blocked.
You have two choices:
Ciao.
Giuseppe
Actually, the license being used is not the free one as my company paid $xx k for licensing. Itis odd as I am not a "premier member" after shelling out that much cash.
As I wrote before - you paid for the license but have you installed the license properly? Do your components properly communicate with license master (if you have a distributed setup)? Did you check your license usage?
The TA that generates this transforms seems to break searches after running into this error. We have to remove the CA Privileged Access Manager (PAM) Add-on for Splunk TA and restart Splunk to fix this issue. Your issue with search may be related to the TA.,
Well, no.
While the addon might contain some faulty definitions, it won't prevent the environment from searching in general and cause licensing warning.
We noticed this TA error issue on Splunk Cloud as soon as this TA was installed. So there is no license issue in our environment. A quick test is to install this TA in a valid licensed environment and see it break search. The OP may have had a coincidental License error.