<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Splunk violation scope in Monitoring Splunk</title>
    <link>https://community.splunk.com/t5/Monitoring-Splunk/Splunk-violation-scope/m-p/54305#M7031</link>
    <description>&lt;P&gt;Hi Splunk Community,&lt;/P&gt;

&lt;P&gt;Question about Splunk Licensing by example&lt;/P&gt;

&lt;P&gt;If I have 2 x 100GB license files, creating a 200GB stack.&lt;BR /&gt;
Then this stack, on a single licensing master is split into 3 licensing pools and is then allocated against individual 3 indexers.&lt;/P&gt;

&lt;P&gt;ie. &lt;BR /&gt;
Pool 1 = 50GB, allocated to indexer 1&lt;BR /&gt;
Pool 2 = 50GB, allocated to indexer 2&lt;BR /&gt;
Pool 3 = 100GB, allocated to indexer 3&lt;/P&gt;

&lt;P&gt;Is the violation scoped to the pool or the stack?&lt;BR /&gt;
eg. Am I right in saying that if the total of violations across Pool 1, Pool 2 and Pool 3 exceed 5 that searching across indexer 1, indexer 2 and indexer 3 will be disabled? Or is the violation just scoped to the violating pool, hence a single indexer? eg. Pool 1 is in violation only cause indexer 1 to have searching disabled.&lt;/P&gt;

&lt;P&gt;I assume the entire stack is violated; How can this impact be limited?&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;Is there a suitable strategy to avoid a rogue (occasional high volume) indexer adversely affecting other indexers?&lt;/LI&gt;
&lt;LI&gt;Is dedicated license files per Indexer a (possible expensive) solution?&lt;/LI&gt;
&lt;LI&gt;When a Licensing 'alert' occurs can the pool allocations be juggled around prior to midnight to avoid a licensing warning? Is this the standard strategy?&lt;/LI&gt;
&lt;/UL&gt;

&lt;P&gt;Thanks in advance,&lt;/P&gt;</description>
    <pubDate>Thu, 19 Jan 2012 02:14:31 GMT</pubDate>
    <dc:creator>mark</dc:creator>
    <dc:date>2012-01-19T02:14:31Z</dc:date>
    <item>
      <title>Splunk violation scope</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/Splunk-violation-scope/m-p/54305#M7031</link>
      <description>&lt;P&gt;Hi Splunk Community,&lt;/P&gt;

&lt;P&gt;Question about Splunk Licensing by example&lt;/P&gt;

&lt;P&gt;If I have 2 x 100GB license files, creating a 200GB stack.&lt;BR /&gt;
Then this stack, on a single licensing master is split into 3 licensing pools and is then allocated against individual 3 indexers.&lt;/P&gt;

&lt;P&gt;ie. &lt;BR /&gt;
Pool 1 = 50GB, allocated to indexer 1&lt;BR /&gt;
Pool 2 = 50GB, allocated to indexer 2&lt;BR /&gt;
Pool 3 = 100GB, allocated to indexer 3&lt;/P&gt;

&lt;P&gt;Is the violation scoped to the pool or the stack?&lt;BR /&gt;
eg. Am I right in saying that if the total of violations across Pool 1, Pool 2 and Pool 3 exceed 5 that searching across indexer 1, indexer 2 and indexer 3 will be disabled? Or is the violation just scoped to the violating pool, hence a single indexer? eg. Pool 1 is in violation only cause indexer 1 to have searching disabled.&lt;/P&gt;

&lt;P&gt;I assume the entire stack is violated; How can this impact be limited?&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;Is there a suitable strategy to avoid a rogue (occasional high volume) indexer adversely affecting other indexers?&lt;/LI&gt;
&lt;LI&gt;Is dedicated license files per Indexer a (possible expensive) solution?&lt;/LI&gt;
&lt;LI&gt;When a Licensing 'alert' occurs can the pool allocations be juggled around prior to midnight to avoid a licensing warning? Is this the standard strategy?&lt;/LI&gt;
&lt;/UL&gt;

&lt;P&gt;Thanks in advance,&lt;/P&gt;</description>
      <pubDate>Thu, 19 Jan 2012 02:14:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/Splunk-violation-scope/m-p/54305#M7031</guid>
      <dc:creator>mark</dc:creator>
      <dc:date>2012-01-19T02:14:31Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk violation scope</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/Splunk-violation-scope/m-p/54306#M7032</link>
      <description>&lt;P&gt;The pool is in violation. A pool in violation should not affect other pools.  Here is a &lt;A href="http://splunk-base.splunk.com/answers/38742"&gt;similar question&lt;/A&gt; and a link to the Admin manual topic on &lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations#What_license_warnings_look_like"&gt;license violations&lt;/A&gt;.  &lt;/P&gt;

&lt;P&gt;It is entirely possible that a pool will occasionally violate its license - for example, if your infrastructure is having a really bad day.  That's one reason that Splunk licensing is set up as it is: on that day (when your infrastructure is crashing around you), you really need Splunk, regardless of the consequences to your license.  Even if your total license is violated on a single day, Splunk will continue to run without any consequences.&lt;/P&gt;

&lt;P&gt;Remember that you get 5 violations (for an enterprise license) before search is locked - so don't panic, just monitor and plan.&lt;/P&gt;

&lt;P&gt;And yes, you can "juggle" the pool allocations as needed before midnight to avoid a warning. As long as the total license is not exceeded, this can be a viable strategy. It's really a matter of how you want to allocate your licenses for your company's use of Splunk and how much monitoring/juggling you want to do at the pool level.&lt;/P&gt;

&lt;P&gt;You can certainly assign a separate license to each indexer, but that can be an expensive and hard-to-manage solution.  Most people just put all their licenses in a single pool (the default).  That way, violations occur only if the total license is violated 5 times - individual indexers may be more or less busy, but it may not cause the aggregate to exceed the license.&lt;/P&gt;</description>
      <pubDate>Mon, 23 Jan 2012 05:44:50 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/Splunk-violation-scope/m-p/54306#M7032</guid>
      <dc:creator>lguinn2</dc:creator>
      <dc:date>2012-01-23T05:44:50Z</dc:date>
    </item>
  </channel>
</rss>

