When your splunk license expires, if it’s personal dev license or any other type, and you are greeted with error
Splunk.License: failed to add because: cannot add lic w/ subgroupId=DevTest:[email protected] to stack w/ subgroupId=ProductionThat means you need to remove your current license from the command line because GUI isn’t enough.
Go to your Splunk binaries folder in Splunk installation folder – In my case /opt/splunk/bin
Search for expired licenses, especially free tier
You will see something like this
root@ravisplunk:/opt/splunk/bin# ./splunk list licenses
991E27D8CD115F60A620E52948A66C629689A09954FC25499AC8D4C9B126D391
allowedRoles:
assignableRoles:
creation_time:1719212400
disabled_features:
LDAPAuth
MultisiteClustering
SearchheadPooling
UnisiteClustering
expiration_time:1735113599
features:
Acceleration
AdvancedSearchCommands
AdvancedXML
Alerting
ArchiveToHdfs
Auth
ConditionalLicensingEnforcement
CustomRoles
DeployClient
DeployServer
FwdData
GuestPass
KVStore
LocalSearch
MultifactorAuth
NontableLookups
RcvData
RollingWindowAlerts
SAMLAuth
ScheduledAlerts
ScheduledReports
ScheduledSearch
ScriptedAuth
SigningProcessor
SplunkWeb
SubgroupId
SyslogOutputProcessor
group_id:Enterprise
guid:144826CE-B124-4056-A378-E3BB294F25C3
is_unlimited:0
label:Splunk Enterprise Term Non-Production License
license_hash:991E27D8CD115F60A620E52948A66C629689A09954FC25499AC8D4C9B126D391
max_retention_size:0
max_stack_quota:18446744073709551615
max_users:1
max_violations:5
quota:53687091200
relative_expiration_interval:0
relative_expiration_start:0
sourcetypes:
stack_id:enterprise
status:EXPIRED
subgroup_id:DevTest:[email protected]
type:enterprise
window_period:30
Remove expired free license by license_hash
Add new dev license (that you got via email and scp to your server)
After that all that is left is to restart Splunk and enjoy it again!