All Apps and Add-ons

Why am I seeing a license violation warning when we haven't exceeded the limit yet?

abovebeyond
Communicator

Hi,

I'm getting a license error on my Splunk server, we have a 1gb license

See attached screenshot:
alt text

Whats is the issue? We didn't reach the limit yet.

In addition, I'm getting the alert "Daily indexing volume limit exceeded. See License Manager for details."

Thanks!

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

As mentioned in the dashboard, it's showing only for today.

Run the below search for last 'n' days and see how was your license usage

index=_internal source=*license_usage.log type=RolloverSummary| eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool

Also under the license manager, you will be able to see the exceeded license details

Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

As mentioned in the dashboard, it's showing only for today.

Run the below search for last 'n' days and see how was your license usage

index=_internal source=*license_usage.log type=RolloverSummary| eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool

Also under the license manager, you will be able to see the exceeded license details

Happy Splunking!

abovebeyond
Communicator

I can see that one of the indexes is consuming my license a lot.
I will need to search inside this index to find out what causing it.

The search option is blocked now. what can i do ?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

As mentioned in the documents, either you have to contact your local splunk support to get a reset code or adjust the license pools if you have more than one

Happy Splunking!
0 Karma

abovebeyond
Communicator

Thanks ! !

0 Karma

abovebeyond
Communicator

How can i avoid this (first time im getting this error)
how can i determine what is the most "indexing" server? probably there are servers that flood my splunk with no reason

Thanks !

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

You can try running the below to find out which source, sourcetype or host is pushing more data

index=_internal source=license_usage.log
type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st limit=20

Replace st with s,h,idx for source,host or index based breakdown

More details here : http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Aboutlicenseviolations

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...