Security

splunk license warnings??

AzmathShaik
Path Finder

Hello

i am bit confused with license warnings, if i have a license of 100gb and i reached my limit with in half day (12hrs) so at that point i will get a license violation which will not stops me from indexing ans searching. so when will i get my second violation, do i get the next minute as i have not stopped my indexing ?? if not when will i get my second violation??

can anyone help me in understanding this ??

Thanks in advance

0 Karma

ChrisG
Splunk Employee
Splunk Employee

The quota check happens once a day, at midnight (in the time zone your license master uses). If you get a warning and correct it before midnight, then it will not count toward your rolling 30-day total. See About license violations in the Admin Manual.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Here's the basic doc for that.

Apparently, splunk counts the number of days you exceeded your license in the past 30 days, and turns off search capabilities when that number is higher than 4 or 2, depending on what version you have. If you have multiple independent pools with separate licenses, then the other pools remain searchable even when the one pool is in violation.

"Day" is calculated as per the date/time on the deployment's license master.

Here's some discussion of what you can do to stop indexing when you near the limit... but that's apparently not a strategy that most organizations seem to pursue...

Here's one with discussion and references about how to NOT pay to index uninteresting data ...

And, it turns out the simple way, referenced at this link, is to set up a universal forwarder and have THAT stop forwarding to the indexer when it hits its [thruput] limit. The same [thruput] option may be available on the indexer.

Unfortunately, thruput is a rate in KBps, rather than MB/day, so if you throttle it to a rate that will always keep you under your license, then realistically you will NEVER use your entire license. And, since it's a config file, to change it, you would have to restart the indexer or forwarder that you're changing.

It seems like, as a backup plan, you could have a 80%-90% warning, and at some point in the day, calculate the remaining license and throttle the indexer with thruput and a restart, then set it back again automatically after midnight, license time. There ought to be an easier way, but that's feasible, if ugly.

There is some discussion here about routing unwanted events to the nullqueue during blackout periods...

skoelpin
SplunkTrust
SplunkTrust

The Splunk license goes by how much you index per day. What version of Splunk are you running?

Before 6.5, Splunk will stop you from searching the data after 5 license violations in a 30 day period. So you would need to violate your license 5 separate days in a 30 day period for it to block you from searching

If your on 6.5 or greater than Splunk will not block you from searching after 5 violations in a month, but I believe you will need to TrueUp your usage at the end of the year if you continuously go over your license.

Indexing never stops, even if you violate the license

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...