All Apps and Add-ons

Why am I seeing a license violation warning when we haven't exceeded the limit yet?

abovebeyond
Communicator

Hi,

I'm getting a license error on my Splunk server, we have a 1gb license

See attached screenshot:
alt text

Whats is the issue? We didn't reach the limit yet.

In addition, I'm getting the alert "Daily indexing volume limit exceeded. See License Manager for details."

Thanks!

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

As mentioned in the dashboard, it's showing only for today.

Run the below search for last 'n' days and see how was your license usage

index=_internal source=*license_usage.log type=RolloverSummary| eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool

Also under the license manager, you will be able to see the exceeded license details

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

As mentioned in the dashboard, it's showing only for today.

Run the below search for last 'n' days and see how was your license usage

index=_internal source=*license_usage.log type=RolloverSummary| eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool

Also under the license manager, you will be able to see the exceeded license details

View solution in original post

abovebeyond
Communicator

I can see that one of the indexes is consuming my license a lot.
I will need to search inside this index to find out what causing it.

The search option is blocked now. what can i do ?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

As mentioned in the documents, either you have to contact your local splunk support to get a reset code or adjust the license pools if you have more than one

0 Karma

abovebeyond
Communicator

Thanks ! !

0 Karma

abovebeyond
Communicator

How can i avoid this (first time im getting this error)
how can i determine what is the most "indexing" server? probably there are servers that flood my splunk with no reason

Thanks !

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

You can try running the below to find out which source, sourcetype or host is pushing more data

index=_internal source=license_usage.log
type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st limit=20

Replace st with s,h,idx for source,host or index based breakdown

More details here : http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Aboutlicenseviolations

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!