Splunk Search

Questions about Splunk Enterprise- What happens after 3 quota overruns, The difference between Free and Trial, etc

hichem_khalfi
Path Finder

Hi please I have 3 questions regarding the splunk enterprise solution (500 mega free log)


infact I am a student and I want to master this solution

1/ after 3 quota overruns, what exactly happens? does splunk server stop receiving logs or what??

2/ what is the difference between: Free license and Enterprise Trial license?

3/ in case I had 2 splunk servers and I want to put one of the 2 as slave because I will need it but I only need the logs that analyzed it, what happens technically?

Labels (1)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

answering to your questions:

1)

after three exceeding, you are in license violation so the data indexing will continue, but all searches (except the ones on _* indexes) will be disabled.

To restart searching, you have to receibe an unblock key from Splunk.

2)

Both Free license and Trial License permit 500 MB/day of ingestion, but in Free License some features (e.g. login) are disabled, you can know which feature are disabled at https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/TypesofSplunklicenses

3), if one server must only send logs to the other, you can install on it the Universal Forwarder (free license) and configure it to send its logs to the other.

 

In addition, you could see at https://www.splunk.com/en_us/about-us/splunk-pledge/academic-license-application.html the conditions to have a free license for acadmic scope.

Ciao.

Giuseppe

hichem_khalfi
Path Finder

Hi @gcusello 

what I understand then: I can no longer use this server now because I had a test model containing a firewall and an antivirus with its own indexes

 

2- Is there a solution to complete the tests on a new splunk server without losing the existing information on the first server?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

to continue to use it, you have to ask to Splunk an unblock key or install a new machine and copy the old data on the new one.

Obviously the new installation has only three exceedings, so if you continue to have more than 500 MB/day, you'll be again in violation in three days.

Ciao.

Giuseppe

hichem_khalfi
Path Finder

hi @gcusello 

Super ; problème résolu
dernière question ; dans le cas où j'ai 2 serveurs avec un dépassement de quota et que je souhaite regrouper leurs données dans un 3ème serveur
y a-t-il une solution?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

good for you for the first issue, please accept the solution for the other people of Community.

About the second question: iF the indexes are different, you can repeat the process I described for both the indexes.

If instead the index is the same e.g. main), merge isn't possible, so: for one of them, you can use the solution I described, for the second the only chance is to extract data in a text file and reload them.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

if you're in violation, you could ask an unblock key to Splunk to use the accademic license.

When you'll have (but also before it!), you'll be able to:

  • install Splunk on a new machine,
  • stop Splunk on the new and old machine,
  • copy indexes data ($SPLUNK_HOME/var/lib/splunk) on the new machine,
  • copy indexes definition (files indexes.conf) in the new machine,
  • restart Splunk on the new machine.

Ciao.

Giuseppe

hichem_khalfi
Path Finder

HI @gcusello 

this is what I want to know:
1/ how can I have this academic license? the procedure ?
2/ I know I'm talking about technical stuff but I want to be sure of a few points:
by copying this folder ($SPLUNK_HOME/var/lib/splunk) I make sure that all the old data will be present on the new server??
I used only one index by default (main) so what should I do ? 

thank you

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

about the academic license, all that I know is the link I sent bacause I didn't used it.

About the procedure of index moving, as described at https://docs.splunk.com/Documentation/Splunk/9.0.0/Indexer/Moveanindex you have to:

  • install on a new machine another Splunk instance using the same version,
  • stop both the Splunk instances,
  • copy the $SPLUNK_HOME/var/lib/splunk/your index from the old in the same folder of the new one,
  • copy indexes.conf where your index is defined from the old system to the new one, if the index is main, don't do this step,
  • restart Splunk on the new instance.

In this way, you'll have all the old data in the new instance.

Ciao.

Giuseppe

hichem_khalfi
Path Finder

HI @gcusello 

please clarify me a bit more, I copied all the var/lib/splunk folder, but I didn't copy any index.conf files because I use index by default: index=main
but I have no results on the new server
where are the files indexes.conf to copy them? do you know the exact path?
thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

if the index where you stoed your data is main, you have to copy from the old system to the new the defaultdb folder that contains all the main buckets.

check in $SPLUNK_HOME/etc/splunk-launch.conf if the row starting with SPLUNK_DB is active or under comment.

If it's commented, you have to copy the "defaultdb" folder.

If it's acrive (non commented), you have to copy the defaultdb folder in the path that you can find in DEFAULT_DB.

the indexes.conf containing main index location usually is in $SPLUNK_HOME/etc/system/local or $SPLUNK_HOME/etc/system/default.

Ciao.

Giuseppe

0 Karma

hichem_khalfi
Path Finder

Hi @gcusello 

1- what I understand then: I can no longer use this server now because I had a test model containing a firewall and an antivirus with their own indexew, i used index= main for them

2- Is there a solution to complete the tests on a new splunk server without losing the existing information on the first server?

0 Karma

chaker
Contributor

1: Search will be disabled on all logs except the internal logs


2: Free license is heavily reduced feature set, Enterprise trial is a trial period of the full feature set.


3: Not sure what you mean. Perhaps read up on distributed search or indexer clustering.
Here is the Splunk Validated Architecture document for reference.

https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf

 

hichem_khalfi
Path Finder

hi @chaker 

I am preparing a presentation on splunk
I lost my first license after 3 quota overruns, and as you know if I prepare a new splunk server I lose all information on the first server
that's why I'm looking for a solution to have them on the second server

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...