Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Questions about Splunk Enterprise- What happens after 3 quota overruns, The difference between Free and Trial, etc

hichem_khalfi
Path Finder
‎07-29-2022 01:04 AM

Hi please I have 3 questions regarding the splunk enterprise solution (500 mega free log)


infact I am a student and I want to master this solution

1/ after 3 quota overruns, what exactly happens? does splunk server stop receiving logs or what??

2/ what is the difference between: Free license and Enterprise Trial license?

3/ in case I had 2 splunk servers and I want to put one of the 2 as slave because I will need it but I only need the logs that analyzed it, what happens technically?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-29-2022 01:28 AM

Hi @hichem_khalfi,

answering to your questions:

1)

after three exceeding, you are in license violation so the data indexing will continue, but all searches (except the ones on _* indexes) will be disabled.

To restart searching, you have to receibe an unblock key from Splunk.

2)

Both Free license and Trial License permit 500 MB/day of ingestion, but in Free License some features (e.g. login) are disabled, you can know which feature are disabled at https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/TypesofSplunklicenses

3), if one server must only send logs to the other, you can install on it the Universal Forwarder (free license) and configure it to send its logs to the other.

 

In addition, you could see at https://www.splunk.com/en_us/about-us/splunk-pledge/academic-license-application.html the conditions to have a free license for acadmic scope.

Ciao.

Giuseppe

Reply

hichem_khalfi
Path Finder
‎07-29-2022 01:56 AM

Hi @gcusello 

what I understand then: I can no longer use this server now because I had a test model containing a firewall and an antivirus with its own indexes

 

2- Is there a solution to complete the tests on a new splunk server without losing the existing information on the first server?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-29-2022 02:23 AM

Hi @hichem_khalfi,

to continue to use it, you have to ask to Splunk an unblock key or install a new machine and copy the old data on the new one.

Obviously the new installation has only three exceedings, so if you continue to have more than 500 MB/day, you'll be again in violation in three days.

Ciao.

Giuseppe

Reply

hichem_khalfi
Path Finder
‎07-29-2022 09:22 AM

hi @gcusello 

Super ; problème résolu
dernière question ; dans le cas où j'ai 2 serveurs avec un dépassement de quota et que je souhaite regrouper leurs données dans un 3ème serveur
y a-t-il une solution?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-29-2022 09:48 AM

Hi @hichem_khalfi,

good for you for the first issue, please accept the solution for the other people of Community.

About the second question: iF the indexes are different, you can repeat the process I described for both the indexes.

If instead the index is the same e.g. main), merge isn't possible, so: for one of them, you can use the solution I described, for the second the only chance is to extract data in a text file and reload them.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply

gcusello
SplunkTrust
SplunkTrust
‎07-29-2022 02:21 AM

Hi @hichem_khalfi,

if you're in violation, you could ask an unblock key to Splunk to use the accademic license.

When you'll have (but also before it!), you'll be able to:

  • install Splunk on a new machine,
  • stop Splunk on the new and old machine,
  • copy indexes data ($SPLUNK_HOME/var/lib/splunk) on the new machine,
  • copy indexes definition (files indexes.conf) in the new machine,
  • restart Splunk on the new machine.

Ciao.

Giuseppe

Reply

hichem_khalfi
Path Finder
‎07-29-2022 03:22 AM

HI @gcusello 

this is what I want to know:
1/ how can I have this academic license? the procedure ?
2/ I know I'm talking about technical stuff but I want to be sure of a few points:
by copying this folder ($SPLUNK_HOME/var/lib/splunk) I make sure that all the old data will be present on the new server??
I used only one index by default (main) so what should I do ? 

thank you

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-29-2022 04:54 AM

Hi @hichem_khalfi,

about the academic license, all that I know is the link I sent bacause I didn't used it.

About the procedure of index moving, as described at https://docs.splunk.com/Documentation/Splunk/9.0.0/Indexer/Moveanindex you have to:

  • install on a new machine another Splunk instance using the same version,
  • stop both the Splunk instances,
  • copy the $SPLUNK_HOME/var/lib/splunk/your index from the old in the same folder of the new one,
  • copy indexes.conf where your index is defined from the old system to the new one, if the index is main, don't do this step,
  • restart Splunk on the new instance.

In this way, you'll have all the old data in the new instance.

Ciao.

Giuseppe

Reply

hichem_khalfi
Path Finder
‎07-29-2022 06:58 AM

HI @gcusello 

please clarify me a bit more, I copied all the var/lib/splunk folder, but I didn't copy any index.conf files because I use index by default: index=main
but I have no results on the new server
where are the files indexes.conf to copy them? do you know the exact path?
thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-29-2022 08:02 AM

Hi @hichem_khalfi,

if the index where you stoed your data is main, you have to copy from the old system to the new the defaultdb folder that contains all the main buckets.

check in $SPLUNK_HOME/etc/splunk-launch.conf if the row starting with SPLUNK_DB is active or under comment.

If it's commented, you have to copy the "defaultdb" folder.

If it's acrive (non commented), you have to copy the defaultdb folder in the path that you can find in DEFAULT_DB.

the indexes.conf containing main index location usually is in $SPLUNK_HOME/etc/system/local or $SPLUNK_HOME/etc/system/default.

Ciao.

Giuseppe

0 Karma
Reply

hichem_khalfi
Path Finder
‎07-29-2022 01:44 AM

Hi @gcusello 

1- what I understand then: I can no longer use this server now because I had a test model containing a firewall and an antivirus with their own indexew, i used index= main for them

2- Is there a solution to complete the tests on a new splunk server without losing the existing information on the first server?

0 Karma
Reply

chaker
Contributor
‎07-29-2022 01:07 AM

1: Search will be disabled on all logs except the internal logs


2: Free license is heavily reduced feature set, Enterprise trial is a trial period of the full feature set.


3: Not sure what you mean. Perhaps read up on distributed search or indexer clustering.
Here is the Splunk Validated Architecture document for reference.

https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf

 

Reply

hichem_khalfi
Path Finder
‎07-29-2022 01:26 AM

hi @chaker 

I am preparing a presentation on splunk
I lost my first license after 3 quota overruns, and as you know if I prepare a new splunk server I lose all information on the first server
that's why I'm looking for a solution to have them on the second server

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...