Hi,
I'm getting a license error on my Splunk server, we have a 1gb license
See attached screenshot:
Whats is the issue? We didn't reach the limit yet.
In addition, I'm getting the alert "Daily indexing volume limit exceeded. See License Manager for details."
Thanks!
As mentioned in the dashboard, it's showing only for today.
Run the below search for last 'n' days and see how was your license usage
index=_internal source=*license_usage.log type=RolloverSummary| eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool
Also under the license manager, you will be able to see the exceeded license details
As mentioned in the dashboard, it's showing only for today.
Run the below search for last 'n' days and see how was your license usage
index=_internal source=*license_usage.log type=RolloverSummary| eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool
Also under the license manager, you will be able to see the exceeded license details
I can see that one of the indexes is consuming my license a lot.
I will need to search inside this index to find out what causing it.
The search option is blocked now. what can i do ?
As mentioned in the documents, either you have to contact your local splunk support to get a reset code or adjust the license pools if you have more than one
Thanks ! !
How can i avoid this (first time im getting this error)
how can i determine what is the most "indexing" server? probably there are servers that flood my splunk with no reason
Thanks !
You can try running the below to find out which source, sourcetype or host is pushing more data
index=_internal source=license_usage.log
type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st limit=20
Replace st with s,h,idx for source,host or index based breakdown
More details here : http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Aboutlicenseviolations