License Error when saving Alert (Valid license)

philwhite · ‎05-24-2016

I am currently running Splunk 6.4.1 and I am tied into our license master but I am getting a licensing message on one of my search heads when saving an Alert. "This scheduled search will not run after the Enterprise Trial License expires". Our license is valid and I am getting no errors on the indexers about exceeded volume, etc. I do not have access to our license master so I can't easily verify what is going on, on that end. Is there anything that I can check so that I don't hit a brick wall in 50 days when it may or may not expire my license?

philwhite · ‎06-01-2016

Unfortunately this search does not work on our search head. Thanks.

mcronkrite_splu · ‎07-09-2017

You are probably operating inside of a search head cluster. If so, try using curl to access the REST endpoints against the literal name of one of the search heads. For example: instead of going to https://mysplunk.company.com, go to https://mysearchhead01.company.com via Curl like this

curl -k -u alice:pass https://mysearchhead01.company.com/servicesNS/alice/myapp/saved/searches/mysearch \
        -d search="index=mai*"

phadnett_splunk · ‎05-25-2016

Hi philwhite, try using this search to find out if/when your license is expiring:

|rest /services/licenser/licenses | eval created=strftime(creation_time,"%m/%d/%y %H:%M:%S")| eval expires=strftime(expiration_time,"%m/%d/%y %H:%M:%S") | eval "size (GB)" = round(quota/1024/1024/1024, 3) | table status, "size (GB)", created, expires, label

You can always hit the rest endpoint to for the same information:
http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTlicenseExamples

License Error when saving Alert (Valid license)

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms