What to Do When You Get Splunk License Errors

What Are Splunk License Warnings and Violations?

The Splunk documentation explains license warnings and violations as follows:

Warnings and violations occur when you exceed the maximum indexing volume allowed for your license.

If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license, and search will be disabled for the offending pool (but indexing continues). Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply a temporary reset license (available for Enterprise only).

Symptoms of Splunk License Violations

When a license violation occurs you typically get this message:

Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK.

What You Can Do

You can do either one of the following things to get back search functionality:

• Send less data to Splunk for indexing and then wait until there are no more than three (Splunk Free) / five (Splunk Enterprise) violations in the past 30 days
• Uninstall and then reinstall Splunk
• If you are on Splunk Enterprise contact Splunk to get a temporary reset license.
• If you are trying the product out contact Splunk to get an evaluation license and a temporary reset license.