search and index problem..(Trial license has expir...

hylee · ‎02-23-2014

Trial license has expired, so updated to free license version.
However, still does not search, and data does not index.

error message below..
"Alerts - Permanent" - 8 license window warnings reported by 1 indexer

How should I solve this problem?

grijhwani · ‎02-23-2014

Cut down the amount of data you are indexing. The indexing should continue, even if you have blown your daily licence cap, but searching facilities are disabled whilst you have a specific number of violations within the last 30 day window. On a free licence your it will stop after 3, on an enterprise licence after 5.

Just how much are you indexing?

For explanation of licence violations see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations

grijhwani · ‎02-23-2014

In that case you have something odd going on.

Try this search:

index="_internal" source="*license_usage.log" type="Usage" | convert timeformat="%Y-%m-%d (%a)" ctime(_time) as ISODate | eval MB=b/1024/1024 | chart eval(round(sum(MB),0)) over date_hour by ISODate limit=0 | addcoltotals labelfield=date_hour | addtotals

It is more detailed than you need, but it should tell you what the service thinks you are indexing.

If you are running on linux (you don't specify your platform) I have a suspicion you may be falling foul of rotated logs being detected as new files and re-indexed.

hylee · ‎02-23-2014

695MB means total..almost 2months..10~20MB a day..

grijhwani · ‎02-23-2014

There's your problem. A free licence only allows a max of 500MB a day.

hylee · ‎02-23-2014

total of 695MB..

search and index problem..(Trial license has expired/updated to free license version)

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!