Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

search and index problem..(Trial license has expired/updated to free license version)

hylee
Explorer
‎02-23-2014 07:53 PM

Trial license has expired, so updated to free license version.
However, still does not search, and data does not index.

error message below..
"Alerts - Permanent" - 8 license window warnings reported by 1 indexer

How should I solve this problem?

Tags (3)
0 Karma
Reply

grijhwani
Motivator
‎02-23-2014 10:48 PM

Cut down the amount of data you are indexing. The indexing should continue, even if you have blown your daily licence cap, but searching facilities are disabled whilst you have a specific number of violations within the last 30 day window. On a free licence your it will stop after 3, on an enterprise licence after 5.

Just how much are you indexing?

For explanation of licence violations see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations

0 Karma
Reply

grijhwani
Motivator
‎02-23-2014 11:44 PM

In that case you have something odd going on.

Try this search:

index="_internal" source="*license_usage.log" type="Usage" | convert timeformat="%Y-%m-%d (%a)" ctime(_time) as ISODate | eval MB=b/1024/1024 | chart eval(round(sum(MB),0)) over date_hour by ISODate limit=0 | addcoltotals labelfield=date_hour | addtotals

It is more detailed than you need, but it should tell you what the service thinks you are indexing.

If you are running on linux (you don't specify your platform) I have a suspicion you may be falling foul of rotated logs being detected as new files and re-indexed.

0 Karma
Reply

hylee
Explorer
‎02-23-2014 11:27 PM

695MB means total..almost 2months..10~20MB a day..

0 Karma
Reply

grijhwani
Motivator
‎02-23-2014 11:16 PM

There's your problem. A free licence only allows a max of 500MB a day.

0 Karma
Reply

hylee
Explorer
‎02-23-2014 11:04 PM

total of 695MB..

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...