Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Seemingly false license alert

atat23
Path Finder
‎01-07-2014 05:28 AM

Seems my license master was down over the holiday period, not really a big deal as it's mostly for testing atm. However when I started it back up I immediately got a license alert telling me we had indexed 180GB in the last day. My license is currently 100GB.

If I use the following search: index=_internal source=*metrics.log group=per_index_thruput series!=_* | eval totalGB = (kb/1024)/1024 | timechart span=1d sum(totalGB)

it returns:
_time sum(totalGB)
1 31/12/2013 00:00:00.000 12.2209665475012
2 01/01/2014 00:00:00.000 25.0286318313375
3 02/01/2014 00:00:00.000 31.1994889654078
4 03/01/2014 00:00:00.000 33.0460035013612
5 04/01/2014 00:00:00.000 25.8918191486529
6 05/01/2014 00:00:00.000 21.8476761363130
7 06/01/2014 00:00:00.000 33.3480448879797
8 07/01/2014 00:00:00.000 14.9539859788464

looking at a few of the Splunk apps like SOS it also shows my usage at 180GB under license usage, although looking at what has actually been indexed using status > indexer activity > indexer activity overview or indexing and forwarding view in SOS it shows me similar results to the above search.

So it seems to be some kind of mismatch between the ways the licensing is being seen by splunk, Anyone have any suggestion on what may be going on here or how I would go about getting to the bottom of this?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

bpaul_splunk
Splunk Employee
Splunk Employee
‎03-02-2015 05:09 PM

The information used to determine license violations is calculated on a "RolloverSummary" type. This is updated nightly at midnight. Other calculations can be made using a type of "Usage" which occurs continuously. If, for various reasons, the "RolloverSummary" information is not received by the license server, it will be queued up for the next successful connection. In cases like these multiple days worth of "RolloverSummary" data will submitted for a single 24 hour period causing license violation warnings to be displayed.

It is important to make sure communication between indexers and License Masters is not impeded around midnight to prevent these types of occurrences.

View solution in original post

Reply
Solved! Jump to solution
Solution

bpaul_splunk
Splunk Employee
Splunk Employee
‎03-02-2015 05:09 PM

The information used to determine license violations is calculated on a "RolloverSummary" type. This is updated nightly at midnight. Other calculations can be made using a type of "Usage" which occurs continuously. If, for various reasons, the "RolloverSummary" information is not received by the license server, it will be queued up for the next successful connection. In cases like these multiple days worth of "RolloverSummary" data will submitted for a single 24 hour period causing license violation warnings to be displayed.

It is important to make sure communication between indexers and License Masters is not impeded around midnight to prevent these types of occurrences.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...