Alerting

"1 pool warning reported by 1 indexer"

MaximeM
Explorer

Hi,

I looked for an answer on SplunkBase but I didn't find anything clear. Here is my problem :

Yesterday, I installed an universal forwarder on a remote server to get some data in my Splunk indexer. But I got an alert because I indexed a too high volume of data (I am on a Free License : 500MB/day allowed). Today, when I go on Manager > Licensing, I can see the warning for yesterday in the "Permanent" Alert section : "1 license window warning reported by 1 indexer 13 hours ago".

The problem is that there is an other line in the "Current" Alert section :

"1 pool warning reported by 1 indexer Correct by midnight to avoid violation"

. When I click on it, I can see :

"This pool contains slave(s) with 1 warnings" - indexer name - "auto_generated_pool_free" - "free" - "pool_warning_count"

Here is my deployment setup : 1 indexer, 2 forwarders on 2 different remote servers.

What does this "current alert" line mean ? Am I going to get another warning ? Or is it a confirmation of the previous warning ? How can I solve it ?

Hope it's clear, Sorry in case of bad grammar.
Thanks in advance.

Maxime

1 Solution

sowings
Splunk Employee
Splunk Employee

Yes, it's an indicator of the prior warning. You're not likely to get another unless you go over the 500MB limit again. You're allowed five (5) violations in a 30 day period, at which point you won't be able to search, but your data will still be indexed.

So long as you continue to stay below the limit, the banner messages (if any) will go away tomorrow. After 30 days, that message should disappear even from the license page of the Manager as well.

View solution in original post

sowings
Splunk Employee
Splunk Employee

Yes, it's an indicator of the prior warning. You're not likely to get another unless you go over the 500MB limit again. You're allowed five (5) violations in a 30 day period, at which point you won't be able to search, but your data will still be indexed.

So long as you continue to stay below the limit, the banner messages (if any) will go away tomorrow. After 30 days, that message should disappear even from the license page of the Manager as well.

sowings
Splunk Employee
Splunk Employee

Ah, thanks Drainy. I was thinking of enterprise.

0 Karma

MaximeM
Explorer

Thanks a lot ! I'm feeling good now.

0 Karma

Drainy
Champion

Just to be clear, on a free license you only have a limit of 3 violations and thats for a 30 day "rolling" window, you have to have 30 days of no violations for all of them to clear.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...