All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Interpret License Usage Page - Splunk Enterprise

rogue_carrot
Communicator
‎08-13-2018 05:26 PM

Hello Team Splunk!

I am having some trouble interpreting the license usage page in Splunk Enterprise. Figures 1 and 2 below show the parts I am confused about. Figure 1 shows that there was some type of license violation on July 25, 2018 while Figure 2 shows this date without any skyrocketing bar indicating that index went over its allowance of data, 500MB per day.

Also, does anyone know what "stack size" means in Figure 2?

Also, in Figure 1, how can a warning be generated if the poolsize is equal to zero? Seems like a warning would be generated if the poolsize is over 524288000 Bytes. I looked this up and found that 500 MB = 524288000 Bytes (in binary). Of course 500MB is the limit on the amount of data that the indexer can consume with the free license.

alt text
Figure 1: July 25, Poolsize = 0 bytes

alt text
Figure 2: Daily License Usage

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

pruthvikrishnap
Contributor
‎08-13-2018 05:38 PM

Hi,

This error may occur if the configurations is not properly done, may be one of the indexer is configured without enough space then this error may trigger. Having more than three warnings in a 30-day window is a license violation for the free license and will stop search head.

Make sure your indexers all have sufficiently large license pools now to avoid new warnings on each new day. Then you'd have to wait for enough warnings to age out of the 30-day window.

Simple way would be to reinstall splunk if there is not much data in it.

0 Karma
Reply

rogue_carrot
Communicator
‎08-13-2018 06:23 PM

Interesting. Thank-you for the reply. I turned off all data coming into the Splunk server so as to not obtain any more license warnings. I think I have three more weeks before I can search again. I will research how to configure the indexer with enough space. If you look the first warnings say the pool size is 500MB. I wonder how the value changed from 500MB to 0MB?

How do I "Make sure your indexers all have sufficiently large license pools"?

Thank-you again for the helpful reply.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...