License Violations continue daily even though I have taken the daily indexing down below the Allowance. With a 500Mb Enterprise limit, I have managed to decrease the amount of data flowing in daily to >200Mb. Yet I continue to get violations.
I have tried re-applying my license, Changing to a temporary license, rebooting server; even tried to wait out the 7 day period required to refresh system. Each day i receive a new violation. Right now I'm sitting on violation #21 and there isn't any problem searching.
Should I completely disable all inputs and let it go on for 7 days collecting nothing or is there a better way of making this stop? What would make Splunk get caught in this loop of thinking there are violations when there are not?
I am not sure what may be wrong. But when you say re-applying my license - you mean free license? If not try switching to free license.
It seems that you have locked your system (we are still indexing data but it is not possible for you to search), in this case you will need to contact Splunk support.
The Support Engineer needs to assist you to re-set your Production license key. In case you are experiencing this problem during an Evaluation of the product (Eval License Key) you can also contact your Sales Account Manager.
I use the Splunk License Usage app to gather data for how much is being indexed for the past 24 hours. I also did my own calculations on the index screen itself. Marking down the size of the indexes each day at the same time for 3 days. I haven't exceeded 200Mb yet.
I am not familiar with the License Usage App, but I would make sure that it is displaying relevant data for all custom indexes, not just "main". I would also directly find out what the license manager says by looking in
index=_internal source=*license_audit.log and looking at
todaysBytesIndexed for each day.
To further analyze where the usage may be coming from, you can run queries against the
index=_internal source=*metrics.log, or look at the http://localhost:8000/en-US/app/search/indexing_volume view in 4.1+ which does the same.
The size of the index on does not provide you with an accurate count about the amount of data indexed. The size on disk is the size of compressed data plus the size of index files. This is frequently half (or even less) than the actual index volume.