You're not viewing the latest version, want to switch to the latest version?X

What to Do When You Get Splunk License Errors

What Are Splunk License Warnings and Violations

The Splunk documentation explains license warnings and violations as follows:

Warnings and violations occur when you exceed the maximum indexing volume allowed for your license.

If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license, and search will be disabled for the offending pool (but indexing continues). Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply a temporary reset license (available for Enterprise only).

Symptoms of Splunk License Violations

When a license violation occurs you typically get this message: Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting or calling 866.GET.SPLUNK.

What You Can Do

You can do either one of the following things to get back search functionality:

  • Send fewer data to Splunk for indexing and then wait until there are no more than three (Splunk Free) / five (Splunk Enterprise) violations in the past 30 days
  • Uninstall and then reinstall Splunk
  • If you are on Splunk Enterprise contact Splunk to get a temporary reset license
  • If you are trying the product out contact Splunk to get an evaluation license and a temporary reset license
What to Do When You Get Splunk License Errors