Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Free Version License Violation help

martinpugh
Explorer
‎06-22-2012 03:17 AM

Hi guys,

I've been trying to get a new index built to import some IIS logs and in the process of importing and deleting content to get the formats right, I've tripped over the 500MBytes per day limit of the Free License. Trouble is, I'm hoping to back fill the final version index with some historical data but of course I'm already over the daily limit.

From what I've read, the daily limit counts as one violation per day if the daily indexed volume remains at midnight. So I guess my question is, as a one off, if I continue with the backfill (bearing in mind my Splunk box is also continuing to recieve it's normal syslog traffic of around 45Mbytes per day too), will I just count as a single violation even if I'm over by a couple of hundred meg?

Moving forward, the IIS boxes are generating about 90Mbyes per day between them, so I would normally be well under the 500 MBytes limit.

Thanks and best regards.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-22-2012 04:03 AM

hi martinpugh

if I recall it right, if you hit a license violation it does not matter how much you are over the limit .... but keep in mind that each violation counts for 30 days. So 3 violation within a rolling 30 days and you cannot search your data anymore.

read more here

cheers

MuS

Reply

Drainy
Champion
‎06-23-2012 02:15 AM

Yes, but just be careful about the 30 days. It is a rolling 30 day window so if you had one violation and 29 days later a second violation, the countdown would restart. 29 days after your second violation you would still have 2 violations - you need to go 30 days completely free of violations to reset the count.

0 Karma
Reply

mikelanghorst
Motivator
‎06-22-2012 09:48 AM

Yes, the splunk license manager doesn't care whether you exceed by 10MB or 500GB, the violations count the same. As long as you don't have 3 violations in 30 days, you'll be fine. Just get all your data in within the 2 days.

Reply

martinpugh
Explorer
‎06-22-2012 05:51 AM

Hi MuS. That seems to be the understanding from most people too, including the Splunk partner I spoke to earlier. I've added the remaining data I wanted to get in and moving forward we will be way below the daily limit.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...