All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I seeing a license violation warning when we haven't exceeded the limit yet?

abovebeyond
Communicator
‎06-28-2016 11:56 PM

Hi,

I'm getting a license error on my Splunk server, we have a 1gb license

See attached screenshot:
alt text

Whats is the issue? We didn't reach the limit yet.

In addition, I'm getting the alert "Daily indexing volume limit exceeded. See License Manager for details."

Thanks!

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-29-2016 12:15 AM

As mentioned in the dashboard, it's showing only for today.

Run the below search for last 'n' days and see how was your license usage

index=_internal source=*license_usage.log type=RolloverSummary| eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool

Also under the license manager, you will be able to see the exceeded license details

Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-29-2016 12:15 AM

As mentioned in the dashboard, it's showing only for today.

Run the below search for last 'n' days and see how was your license usage

index=_internal source=*license_usage.log type=RolloverSummary| eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool

Also under the license manager, you will be able to see the exceeded license details

Happy Splunking!
Reply
Solved! Jump to solution

abovebeyond
Communicator
‎06-29-2016 01:02 AM

I can see that one of the indexes is consuming my license a lot.
I will need to search inside this index to find out what causing it.

The search option is blocked now. what can i do ?

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎06-29-2016 01:08 AM

As mentioned in the documents, either you have to contact your local splunk support to get a reset code or adjust the license pools if you have more than one

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

abovebeyond
Communicator
‎06-29-2016 01:12 AM

Thanks ! !

0 Karma
Reply
Solved! Jump to solution

abovebeyond
Communicator
‎06-29-2016 12:16 AM

How can i avoid this (first time im getting this error)
how can i determine what is the most "indexing" server? probably there are servers that flood my splunk with no reason

Thanks !

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎06-29-2016 12:20 AM

You can try running the below to find out which source, sourcetype or host is pushing more data

index=_internal source=license_usage.log
type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st limit=20

Replace st with s,h,idx for source,host or index based breakdown

More details here : http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Aboutlicenseviolations

Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...