Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

License violations: if a sub-pool exceeds quota, what happens to the other pool's slaves?

benjiw
Explorer
‎01-19-2012 10:13 PM

Greetings all,

We have a smallish amount of enterprise licenses, in one stack,
most of this is in one larger (production, default) pool.

We've carved off a smaller chunk of that for use in our QAS environment.
(No info sharing between the indexers - it's purely so we can enable the
enterprise features - LDAP login etc.)

...What happens if the QAS pool exceeds it's license?

Are license violations per-pool, or per-stack?

If the QAS pool trips more than 5 violations, will our production pool slaves still be ok?

--Benji

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎01-19-2012 11:32 PM

As per this documentation topic, violations are counted per-pool. When a given enterprise pool reaches 5 violations, all slaves of that pool see their search disabled. Other pools should not be affected by this.

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎01-19-2012 11:32 PM

As per this documentation topic, violations are counted per-pool. When a given enterprise pool reaches 5 violations, all slaves of that pool see their search disabled. Other pools should not be affected by this.

Reply
Solved! Jump to solution

JoeIII
Path Finder
‎07-15-2013 05:44 AM

I wish I'd seen this before - in our SE conversations, I was told that in such a situation pool warnings would be generated on a strictly informational basis, as long as the total across all pools did not exceed our licensed volume. Up-voting this answer in hopes that more people see it and the SE's ar more clear in the future.

Reply
Solved! Jump to solution

benjiw
Explorer
‎01-30-2012 02:05 PM

Done, thanks for the suggestion.

0 Karma
Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎01-22-2012 10:28 PM

I would agree with you, and I'd like to encourage you to post a comment on that documentation topic stating this lack of clarity. Our documentation writers monitor this sort of feedback and will be glad to receive it.

0 Karma
Reply
Solved! Jump to solution

benjiw
Explorer
‎01-22-2012 07:51 PM

Thanks Hexx - I appreciate the answer.

As feedback, I believe the page you reference doesn't explicitly answer my question - it says you can exceed the pool or stack, and that search will be disabled, but doesn't say "search will be disabled just on the offending pool".
But thanks for the clear answer.

Also, I've found out (I believe!) that Summary Searches / SI populations are disabled when search is disabled.
This isn't something I'd thought about previously, and would have been a nasty gotcha down the track - perhaps it could be explicitly mentioned on that page.

Cheers,
--Benji

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...