All Apps and Add-ons

Why am I seeing a license violation warning when we haven't exceeded the limit yet?

Communicator

Hi,

I'm getting a license error on my Splunk server, we have a 1gb license

See attached screenshot:
alt text

Whats is the issue? We didn't reach the limit yet.

In addition, I'm getting the alert "Daily indexing volume limit exceeded. See License Manager for details."

Thanks!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

As mentioned in the dashboard, it's showing only for today.

Run the below search for last 'n' days and see how was your license usage

index=_internal source=*license_usage.log type=RolloverSummary| eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool

Also under the license manager, you will be able to see the exceeded license details

View solution in original post

SplunkTrust
SplunkTrust

As mentioned in the dashboard, it's showing only for today.

Run the below search for last 'n' days and see how was your license usage

index=_internal source=*license_usage.log type=RolloverSummary| eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool

Also under the license manager, you will be able to see the exceeded license details

View solution in original post

Communicator

I can see that one of the indexes is consuming my license a lot.
I will need to search inside this index to find out what causing it.

The search option is blocked now. what can i do ?

0 Karma

SplunkTrust
SplunkTrust

As mentioned in the documents, either you have to contact your local splunk support to get a reset code or adjust the license pools if you have more than one

0 Karma

Communicator

Thanks ! !

0 Karma

Communicator

How can i avoid this (first time im getting this error)
how can i determine what is the most "indexing" server? probably there are servers that flood my splunk with no reason

Thanks !

0 Karma

SplunkTrust
SplunkTrust

You can try running the below to find out which source, sourcetype or host is pushing more data

index=_internal source=license_usage.log
type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by st limit=20

Replace st with s,h,idx for source,host or index based breakdown

More details here : http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Aboutlicenseviolations

0 Karma