Guys, great product, has really helped tracking down firewall violations and AD account lockouts.
Problem is your licensing thresholds suck.
In setting this up i've digested too much data for too long so by the time I gave myself a headache trying to understand how to restrict the data input and actually make it work, my search has been locked out...
...for 30 days apparently.
This does not make me want to risk paying for something I might utimately violate and be locked out of.
Honestly I'm not willing to wait 30 days for this thing to sort itself out...move on, next product.
James
It took you 3 days before you noticed and/or figured you should stop Splunk in order to avoid violating your license to the point that you're locked out?
For a discussion about this license model, I'd recommend you check http://splunk-base.splunk.com/answers/42821/how-can-a-free-license-expire
It's up to you to decide who you agree with - if you think the license model is simply wrong, go on, move on to the next product if you feel like it. I can't help but feeling the same in your case as in the other thread though - the problem here is not really with the model or the thresholds, the problem is you didn't pay attention and made sure you wouldn't get locked out, despite that Splunk gives you several opportunities to rectify this before finally locking down search capabilities.
Also there's nothing stopping you from simply reinstalling the whole thing and start off with a clean slate.