- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Splunk violation scope
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk violation scope
Hi Splunk Community,
Question about Splunk Licensing by example
If I have 2 x 100GB license files, creating a 200GB stack.
Then this stack, on a single licensing master is split into 3 licensing pools and is then allocated against individual 3 indexers.
ie.
Pool 1 = 50GB, allocated to indexer 1
Pool 2 = 50GB, allocated to indexer 2
Pool 3 = 100GB, allocated to indexer 3
Is the violation scoped to the pool or the stack?
eg. Am I right in saying that if the total of violations across Pool 1, Pool 2 and Pool 3 exceed 5 that searching across indexer 1, indexer 2 and indexer 3 will be disabled? Or is the violation just scoped to the violating pool, hence a single indexer? eg. Pool 1 is in violation only cause indexer 1 to have searching disabled.
I assume the entire stack is violated; How can this impact be limited?
- Is there a suitable strategy to avoid a rogue (occasional high volume) indexer adversely affecting other indexers?
- Is dedicated license files per Indexer a (possible expensive) solution?
- When a Licensing 'alert' occurs can the pool allocations be juggled around prior to midnight to avoid a licensing warning? Is this the standard strategy?
Thanks in advance,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The pool is in violation. A pool in violation should not affect other pools. Here is a similar question and a link to the Admin manual topic on license violations.
It is entirely possible that a pool will occasionally violate its license - for example, if your infrastructure is having a really bad day. That's one reason that Splunk licensing is set up as it is: on that day (when your infrastructure is crashing around you), you really need Splunk, regardless of the consequences to your license. Even if your total license is violated on a single day, Splunk will continue to run without any consequences.
Remember that you get 5 violations (for an enterprise license) before search is locked - so don't panic, just monitor and plan.
And yes, you can "juggle" the pool allocations as needed before midnight to avoid a warning. As long as the total license is not exceeded, this can be a viable strategy. It's really a matter of how you want to allocate your licenses for your company's use of Splunk and how much monitoring/juggling you want to do at the pool level.
You can certainly assign a separate license to each indexer, but that can be an expensive and hard-to-manage solution. Most people just put all their licenses in a single pool (the default). That way, violations occur only if the total license is violated 5 times - individual indexers may be more or less busy, but it may not cause the aggregate to exceed the license.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
