Knowledge Management

Splunk Free Version License Violation help

martinpugh
Explorer

Hi guys,

I've been trying to get a new index built to import some IIS logs and in the process of importing and deleting content to get the formats right, I've tripped over the 500MBytes per day limit of the Free License. Trouble is, I'm hoping to back fill the final version index with some historical data but of course I'm already over the daily limit.

From what I've read, the daily limit counts as one violation per day if the daily indexed volume remains at midnight. So I guess my question is, as a one off, if I continue with the backfill (bearing in mind my Splunk box is also continuing to recieve it's normal syslog traffic of around 45Mbytes per day too), will I just count as a single violation even if I'm over by a couple of hundred meg?

Moving forward, the IIS boxes are generating about 90Mbyes per day between them, so I would normally be well under the 500 MBytes limit.

Thanks and best regards.

0 Karma

MuS
SplunkTrust
SplunkTrust

hi martinpugh

if I recall it right, if you hit a license violation it does not matter how much you are over the limit .... but keep in mind that each violation counts for 30 days. So 3 violation within a rolling 30 days and you cannot search your data anymore.

read more here

cheers

MuS

Drainy
Champion

Yes, but just be careful about the 30 days. It is a rolling 30 day window so if you had one violation and 29 days later a second violation, the countdown would restart. 29 days after your second violation you would still have 2 violations - you need to go 30 days completely free of violations to reset the count.

0 Karma

mikelanghorst
Motivator

Yes, the splunk license manager doesn't care whether you exceed by 10MB or 500GB, the violations count the same. As long as you don't have 3 violations in 30 days, you'll be fine. Just get all your data in within the 2 days.

martinpugh
Explorer

Hi MuS. That seems to be the understanding from most people too, including the Splunk partner I spoke to earlier. I've added the remaining data I wanted to get in and moving forward we will be way below the daily limit.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...