Have a problem staying under the Splunk free edition cap of 500MB/day? Splunk is no help. It silently logs violations, only taking action finally by shutting down your searches all together. Here is a quick cron job to email you license alerts as they happen.
touch ~/splunk-license-alert chmod +x ~/splunk-license-alert vim ~/splunk-license-alert
#!/bin/bash cp ~/.splunk-licence-violations ~/.splunk-licence-violations.last /opt/splunk/bin/splunk show license |grep violation > ~/.splunk-licence-violations if diff ~/.splunk-licence-violations ~/.splunk-licence-violations.last >/dev/null ; then echo "No new license violations." else cat ~/.splunk-licence-violations |mail -s "Splunk license violation" -t "email@example.com" fi
You can run this a couple times to prime the temp files. Then, you should start seeing "No new license violations." Complete the install by setting up cron:
>crontab -e # run every morning at 1AM; Splunk tallies license violations at 12 midnight 00 1 * * * ~/splunk-license-alert >/dev/null 2>&1