Monitoring Splunk

License violations: if a sub-pool exceeds quota, what happens to the other pool's slaves?

benjiw
Explorer

Greetings all,

We have a smallish amount of enterprise licenses, in one stack,
most of this is in one larger (production, default) pool.

We've carved off a smaller chunk of that for use in our QAS environment.
(No info sharing between the indexers - it's purely so we can enable the
enterprise features - LDAP login etc.)

...What happens if the QAS pool exceeds it's license?

Are license violations per-pool, or per-stack?

If the QAS pool trips more than 5 violations, will our production pool slaves still be ok?

--Benji

1 Solution

hexx
Splunk Employee
Splunk Employee

As per this documentation topic, violations are counted per-pool. When a given enterprise pool reaches 5 violations, all slaves of that pool see their search disabled. Other pools should not be affected by this.

View solution in original post

hexx
Splunk Employee
Splunk Employee

As per this documentation topic, violations are counted per-pool. When a given enterprise pool reaches 5 violations, all slaves of that pool see their search disabled. Other pools should not be affected by this.

JoeIII
Path Finder

I wish I'd seen this before - in our SE conversations, I was told that in such a situation pool warnings would be generated on a strictly informational basis, as long as the total across all pools did not exceed our licensed volume. Up-voting this answer in hopes that more people see it and the SE's ar more clear in the future.

benjiw
Explorer

Done, thanks for the suggestion.

0 Karma

hexx
Splunk Employee
Splunk Employee

I would agree with you, and I'd like to encourage you to post a comment on that documentation topic stating this lack of clarity. Our documentation writers monitor this sort of feedback and will be glad to receive it.

0 Karma

benjiw
Explorer

Thanks Hexx - I appreciate the answer.

As feedback, I believe the page you reference doesn't explicitly answer my question - it says you can exceed the pool or stack, and that search will be disabled, but doesn't say "search will be disabled just on the offending pool".
But thanks for the clear answer.

Also, I've found out (I believe!) that Summary Searches / SI populations are disabled when search is disabled.
This isn't something I'd thought about previously, and would have been a nasty gotcha down the track - perhaps it could be explicitly mentioned on that page.

Cheers,
--Benji

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...