Splunk Search

My Splunk Light license expired, so I switched to free, but why did I immediately get license violations and search was disabled?

staze
Path Finder

All,

I had Splunk Light installed (version 6.4.0). Tried to log in, but noticed that the license had expired, so I switched to free. Great. Now I get:

This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool contains slave(s) with 16 warnings
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool contains 1 slave/s in violation
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members

And search doesn't work (if I try to search, I just get no results, rather than a disabled warning). I am assuming these are license violations (though they don't say that specifically), and since I just got 16 of them, even though I don't get anywhere NEAR 500MB/day with this install (more like 15MB/day, at most), I'm assuming I won't get search for 30 days?

Please advise. This is running on a Mac (10.11.5). Thanks!

0 Karma
1 Solution

staze
Path Finder

Splunk support, Robb, was able to get me through the process. Couple licenses, couple restarts, then a switch back to free, and it works great.

Thanks!

View solution in original post

0 Karma

staze
Path Finder

Splunk support, Robb, was able to get me through the process. Couple licenses, couple restarts, then a switch back to free, and it works great.

Thanks!

0 Karma

hvspa
New Member

hi, how can i contact Robb or someone else from Splunk support to help me with the same problem? i kind a did not loginto the system for few days and now after switching to free license, i am stuck with following messages and search does not work, even though my usage is 15% (80mb per day):

Nov 2, 2019, 12:00:00 AM
(15 hours ago) This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members core auto_generated_pool_download-trial download-trial pool_over_quota

please, who can i contact to get help on this?

0 Karma

staze
Path Finder

Got an answer back from Splunk support that this may be a known issue with license replacement/expiration. They are going to get me a license extension so I can more gracefully convert to the free license. Will post back...

0 Karma

ddrillic
Ultra Champion

Apparently the best thing to do is to reinstall Splunk.

The issue of This pool has exceeded its configured poolsize=0 bytes and the solution are at - License Free and pool size

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Based on the messages, one of your indexers was configured with a license pool of zero bytes (probably no pool at all) for sixteen days. That caused sixteen license warnings, iirc having more than three warnings in a 30-day window is a license violation for the free license.

Make sure your indexers all have sufficiently large license pools now to avoid new warnings on each new day. Then you'd have to wait for enough warnings to age out of the 30-day window.

In theory there are license violation reset keys, though I don't know of anyone ever getting one for a free license. According to your profile text you work for a US university? If you're an Internet2 member you should check out http://www.internet2.edu/products-services/cloud-services-applications/splunk/

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...