Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What happens with tracked alerts during license violation period?

meno
Path Finder
‎05-22-2011 03:36 AM

One of the things to remember when designing a Splunk 4.2.x HA environment is the behavior in case of license violations (>4 by midnight of the last 30 days on an Enterprise license). As mentioned here Splunk does not stop indexing data but search will be blocked.

Does this also apply to tracked alerts/scheduled searches? Or are only the searches executed by users via Gui blocked until license violation period ends?

Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎05-23-2011 07:48 AM

Since searching is disabled, this would include both ad-hoc and saved searches. Since alerts are based on saved searches, you would not receive any alerts during the period of time in which the number of violations have caused search to be disabled.

You can find some useful searches that you can use to set up an alert on prior to your running into violations, which should help with providing a buffer for you to use for investigation to determine what is causing the violations. For useful searches in determining where the license volume comes from, and how to set up an alert when you get a violation, see the following page:

http://www.splunk.com/wiki/Community:TroubleshootingIndexedDataVolume

View solution in original post

Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎05-23-2011 07:48 AM

Since searching is disabled, this would include both ad-hoc and saved searches. Since alerts are based on saved searches, you would not receive any alerts during the period of time in which the number of violations have caused search to be disabled.

You can find some useful searches that you can use to set up an alert on prior to your running into violations, which should help with providing a buffer for you to use for investigation to determine what is causing the violations. For useful searches in determining where the license volume comes from, and how to set up an alert when you get a violation, see the following page:

http://www.splunk.com/wiki/Community:TroubleshootingIndexedDataVolume

Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...