Splunk Search

Quota=0 bytes for 3 days. How do i reenable search ?

lhdk
New Member

Hi

I have been using trial version and it expired during Christmas. Now i had expected to use the free version instead, but i cannot search as my license has been violated for 3 days with this error message : Indexing quota exceeded for this pool, quota=0 bytes

Is it possible to unlock the free license or do i have to buy a license to see my log data during the Christmas (as i have installed Splunk i do not have any other syslog logs). Is it possible to search log data looking in textfiles instead ?

Regards, Lars

Tags (1)
0 Karma

alaorath
Path Finder

You do not need to reinstall!

Simply log in as administrator, and change the license group to "Free License" (Settings, Licensing, "Change license group" button). This assumes you are under the free quota of 500/mb per day (check your usage report in the Licensing dashboard).

0 Karma

rpalamara
New Member

Just wanted to say thanks for this post. I was having the same exact issue becuase I was testing splunk with everything under the sun and did not notice that the trial expired while I was on vacation.

By the way Splunk is a great tool. using the free version now and working on getting the purchase worked into the budget. It smokes the rest of the logging tools that I currently use.

0 Karma

lhdk
New Member

Thank you for your reply.

I made a backup of the old splunk directory and made a fresh install of Splunk. After setting up the free license i followed your guide, but copied only the defaultdb directory. After restart and reconfigure my installation worked again.

Regards - Lars

0 Karma

Drainy
Champion

Great! Don't forget to click on the tick to the left of my answer to accept it! 🙂 It makes the question/answer pair more useful for those in the future with the same problem

0 Karma

Drainy
Champion

Have a read of;
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations

Essentially your search functionality will return after a period of 30 days of non violation from the date of your last violation, during this time you cannot effectively search your data. You could search the original data before it was indexed (log files, event logs etc) but obviously this would be without the aid of Splunk.

You can't get an unlock license for a free license, but if you were up for the effort you could always install a second instance of Splunk server, switch it to a free license and migrate the buckets across;
http://docs.splunk.com/Documentation/Splunk/latest/admin/MoveAnIndex

The above link gives some detail on how to do this, I don't forsee any issues with that method if you wanted instant access again but as with everything I would backup your previous install in its entirety before trying anything.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...