Installation

License violation BUT NO INDEX IS EXCEEDING the 500 MB daily limit

marcosciarrone
New Member

Good morning everybody,
as reported in the subject I have a license limit violation in my Splunk installation with unavailability of searching anything. I verified that in the last 30 days I didn't exceed the 500 MB daily in the log.

Why I cannot use the search feature and why I'm receiving the license violation error if I'm inside the 500 MB limit (I'm currently respecting the license agreement of the Splunk free version)?

Thank you very much for your assistance.

Marco

Tags (3)
0 Karma

marcosciarrone
New Member

Dear all, thank you for your feedback.

I installed Splunk SOS and I generated the report of the license usage for the last 30 days: The daily usage of the license is always below 200MB each day.

Any suggestion? I cannot access the search yet.

Thank you,
Marco

0 Karma

aelliott
Motivator

You would have to back up your configurations/ indexes before doing this.
http://answers.splunk.com/answers/11059/splunk-backup-and-restore-procedure

0 Karma

marcosciarrone
New Member

Ok but if I reinstall Splunk is there any risk I lost all my stored logs?

Thank you,
Marco

0 Karma

aelliott
Motivator

I would first attempt to re-install Splunk.

0 Karma

aelliott
Motivator

You are probably looking at the Compressed index size. Your data will be between 10% and 110% based on the data compression ratio and unique columns in the data.. I recommend installing S.O.S. (splunk on splunk) app http://apps.splunk.com/app/748/, it will give you much insight to these values (metrics dashboard i believe)

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

For a more reliable view into your licensing volume take a look at Settings -> Licensing -> Usage Report -> 30 days, directly: http://yourhost:8000/en-US/manager/search/licenseusage

marcosciarrone
New Member

Thank you for the reply. I have only one index with only one device feeding the syslog. I checked the size of the log from the search menu (i do not remember the right menu) and i created a graph with the amount of the index over the last 30 days. I'm always under 180 mb. I can confirm that the size is below 200 mb because i've another syslog with the same data.

Any idea?

Thank you very much,
Marco

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

It's also not calculated on a per-index basis but rather over all (non-internal) indexes combined... hence if you have three indexes getting 200MB each per day you're over 500MB in total daily.

0 Karma

kristian_kolb
Ultra Champion

From the sound of it, you are not within your 500 MB/day. How did you check? You are aware that the license is counted towards the uncompressed size of the incoming logs, not how much space they take on disk on the indexer.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...