- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- splunk license warnings??
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk license warnings??
Hello
i am bit confused with license warnings, if i have a license of 100gb and i reached my limit with in half day (12hrs) so at that point i will get a license violation which will not stops me from indexing ans searching. so when will i get my second violation, do i get the next minute as i have not stopped my indexing ?? if not when will i get my second violation??
can anyone help me in understanding this ??
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The quota check happens once a day, at midnight (in the time zone your license master uses). If you get a warning and correct it before midnight, then it will not count toward your rolling 30-day total. See About license violations in the Admin Manual.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's the basic doc for that.
Apparently, splunk counts the number of days you exceeded your license in the past 30 days, and turns off search capabilities when that number is higher than 4 or 2, depending on what version you have. If you have multiple independent pools with separate licenses, then the other pools remain searchable even when the one pool is in violation.
"Day" is calculated as per the date/time on the deployment's license master.
Here's some discussion of what you can do to stop indexing when you near the limit... but that's apparently not a strategy that most organizations seem to pursue...
Here's one with discussion and references about how to NOT pay to index uninteresting data ...
And, it turns out the simple way, referenced at this link, is to set up a universal forwarder and have THAT stop forwarding to the indexer when it hits its [thruput] limit. The same [thruput] option may be available on the indexer.
Unfortunately, thruput is a rate in KBps, rather than MB/day, so if you throttle it to a rate that will always keep you under your license, then realistically you will NEVER use your entire license. And, since it's a config file, to change it, you would have to restart the indexer or forwarder that you're changing.
It seems like, as a backup plan, you could have a 80%-90% warning, and at some point in the day, calculate the remaining license and throttle the indexer with thruput and a restart, then set it back again automatically after midnight, license time. There ought to be an easier way, but that's feasible, if ugly.
There is some discussion here about routing unwanted events to the nullqueue during blackout periods...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Splunk license goes by how much you index per day. What version of Splunk are you running?
Before 6.5, Splunk will stop you from searching the data after 5 license violations in a 30 day period. So you would need to violate your license 5 separate days in a 30 day period for it to block you from searching
If your on 6.5 or greater than Splunk will not block you from searching after 5 violations in a month, but I believe you will need to TrueUp your usage at the end of the year if you continuously go over your license.
Indexing never stops, even if you violate the license
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
