Splunk offers us 60 days enterprise license for free. After that you either have switch back to free version or paid or reinstall the whole splunk.

As a developer, it’s for sure i love to use enterprise license but i can’t afford to buy it. My only solution is to reinstall splunk from scratch. No, no , i will lose all my search, i have to setup everything. I don’t need the data ingestion but i need to keep my search, my settings. I’m looking for a simple solution to keep all my settings after i reset.

I see Splunk offer some docker version, why not using it? you just need to re-create the container. i did some research and i know there are some folders i can keep it persistent after the reset.

I finally come with this docker-compose.yml file

version: '3'
services:
    splunk:
        image: splunk/splunk:9.0
        hostname: "splunk"
        container_name: "splunk"
        restart: always
        networks:
           #we need to create this network first
           - lan-docker
        volumes:
            - ./data:/data
            - ./data/etc.apps/apps:/opt/splunk/etc/apps
            - ./data/etc.users:/opt/splunk/etc/users
            - ./data/etc.system/local/alert_actions.conf:/opt/splunk/etc/system/local/alert_actions.conf
        ports:
            - 127.0.0.1:8001:8000
        environment:
            TZ: "America/New_York"
            SPLUNK_START_ARGS: "--accept-license"
            SPLUNK_PASSWORD: "your-passwor-here"
networks:
  lan-docker:
    external: true

I create this file whenever my license expires , just need to run this: run.sh

sudo docker stop splunk
sudo docker container rm splunk
echo "starting"

sudo docker-compose up -d