Chase Seibert

Director of Engineering at Dropbox

Have a problem staying under the Splunk free edition cap of 500MB/day? Splunk is no help. It silently logs violations, only taking action finally by shutting down your searches all together. Here is a quick cron job to email you license alerts as they happen. 

touch ~/splunk-license-alert
chmod +x ~/splunk-license-alert
vim ~/splunk-license-alert

#!/bin/bash
cp ~/.splunk-licence-violations ~/.splunk-licence-violations.last
/opt/splunk/bin/splunk show license |grep violation > ~/.splunk-licence-violations
if diff ~/.splunk-licence-violations ~/.splunk-licence-violations.last >/dev/null ; then
   echo "No new license violations."
else
   cat ~/.splunk-licence-violations |mail -s "Splunk license violation" -t "user@example.com"
fi

You can run this a couple times to prime the temp files. Then, you should start seeing "No new license violations." Complete the install by setting up cron: 

>crontab -e

# run every morning at 1AM; Splunk tallies license violations at 12 midnight
00 1 * * * ~/splunk-license-alert >/dev/null 2>&1