Taking a chance on replying to this old thread.... there are probably a lot of you out there with the same issue. I am running the free license for learning and lab purposes at home feeding it whatever that could be interesting. After numerous times getting this hit by free license violation due to some system decided to send a lot of data to Splunk after a reconfiguration or change in traffic pattern, I have learned how to rebuild it. Email forwarding and alerts are not available with the free license, we have to connect every day and check messages for any license violations. Since this was not too practical I decided to write a script using the CLI and sendmail. This is now added to crontab running each day shortly after midnight. It will send me an email with the last 4 days of license usage like below: time usage
---------- -----
2020-06-11 41.02
2020-06-10 32.18
2020-06-09 20.99
2020-06-08 16.44 Here is my script: #!/bin/bash
# Email last days of Splunk license usage - file: license-check.sh
# Emails settings # From is optional - will use hostname if not specified
FROM=my_from_address@example.com
TO=your_email_address@example.com
BODY_FILE=/root/mail.txt
# run splunk search /opt/splunk/bin/splunk search 'index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-3d@d | eval usage=round(100*b/poolsz,2) | eval time=strftime(_time, "%F") | table time usage ' > $BODY_FILE
# send the report with sendmail (cat - $BODY_FILE)<<HEADERS_END | /usr/sbin/sendmail -i $TO Subject: Splunk License usage To: $TO From: $FROM
HEADERS_END Add the file to crontab: 10 0 * * * /root/license-check.sh Modify your postfix install to use a relay host /etc/postfix/main.cf ... and that's all. Although not the best practice to run under root, but it works....
... View more