Hi,
I just change splunk from Trial to Free. However, same as some other user asking, a warning messages comes out.
[EventsViewer module] Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK.
I checked the dailay volume use. There should be lower than 500MB
Licensed daily volume 500 MB
Volume used today 57 MB (11.36% of quota)
Also, I have checked other answer from here but looks cannot help me. Did any offical link can point me how to solve this problem?
Thanks!
I am getting very similar problems. I am at 67mb today. I am looking at the historical graphs and never went over that, but I get the nagging message. Were you able to fix it?
Try this command to check your index sizes
index=_internal earliest=-24h source=*metrics.log per_index_thruput | eval mb=kb/1024 | stats sum(mb) by series. There is also preconfigured searches that can assist you in measuring your indexes and data. YourSplunkServer/en-US/app/search/index_status
Try to limit the amount of information your splunk forwarders or Data inputs send\import to your indexer, Segregate your indexes per Data inputs. I stop all forwarders or data inputs, then sequentially enable the LWF's and data inputs to measure the license usage. Blacklist any superfluous or UN-needed data on your LWf's or Data inputs. Do you have any Apps running non-essential scheduled searches?
Just checked the the warning alert/warning message. It looks I have already reach the max warning/alert so it was disable the search?
1 pool warning reported by 1 indexer Correct by midnight to avoid violation Learn more
1 pool violation reported by 1 indexer Correct by midnight to avoid violation Learn more
Permanent
Is there are any method to reduce the index build? by reduce the date of record can do it?