Installation

License Pool Violation - After Search is disabled on a license pool due to 5 violations, does the continued indexing count towards the remaining quota from other pools?

gehogan3
Explorer

I am looking for a little clarity on this...

Like many folks here, I have carved out a small part of our total license volume for QA. For simplicity's sake, lets say, I have a 20GB/day license and I carve off 5GB/day for QA. But...one of our QA servers goes nuts and starts spewing crazy amounts of log data.

I know that if the QA_Pool license volume is violated 5 times in a 30-day period, then the search functionality for that pool stops working until one of those violations rolls off. That's fine...I get that.

What I don't quite get is this: Even though the QA box that is spewing logs has blasted through the QA_Pool license volume, it will continue to spew and continue to get indexed...right? And that indexing goes against our TOTAL license volume...so, even though we have the QA pool capped at 5GB, it doesn't prevent a runaway QA machine from blowing through our Full license volume all by itself.

Right? If so...is there an automated way to fix this? We are alerting when the license volumes hit 75%, but it's still a manual process to: 1) Figure out which QA box is spewing the data, 2) Log into that box and shut down the splunk forwarder.

Or am I missing something here?

Thanks in advance!

Labels (1)

rsennett_splunk
Splunk Employee
Splunk Employee

Once an individual pool reaches 5 license violations (3 for the Free Version and 5 for Enterprise) in a 30 day period search is disabled, and indexing continues. The volume from the continued indexing does not count towards any other quota (other pools)... So the QA box can spew it's head off until you figure out how to stop it...but it will not blow out your other pool(s). It does not go against some kind of umbrella quota... Once you create a pool with 5GB and a pool with 15GB you now have two independent license pools...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

gehogan3
Explorer

Ohhh...that makes much more sense. I didn't pick that up from the documentation.

Now if QA blows through their license pool, but not our corporate license...is there a way for us to internally reset their "License Violations Count"? It is, after all, a self-induced limitation.

Thanks for the info!

-Emmett

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Good question. There's no way for you to reset a pool (although, I would imagine you could remove the pool and re-create it... ). The License "reset" is in the form of a license that you add... so theoretically it's going to reset all to day 1 of the 30 day clock.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

If that answers your question, please accept my answer. 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...