Deployment Architecture

Impact on re-creating Auto Generated Pool License

iherre312
Explorer

Currently, we have been getting some warnings in our environment that we are reaching our license quota.

Unfortunately, this seems to happen when there is a backlog of events that come in at one time and caused our license quota to be reached. Today we noticed that there were only 2/4 indexers showing in our auto_generated_license_pool.
Are there any impacts to recreating the auto_generated_license_pool so that we can configure 4/4 indexers as license slaves?
We have done a rolling restart of the cluster peers, the SH and the CM and our license quota is still showing up over our limit because the events appear to primarily get indexed by one of the indexers. Any help is appreciated. Thanks!

Tags (1)
0 Karma

fairje
Communicator

All your indexers (really all of your servers) should be showing up in your license master under whatever pool (default pool is the catch all) you have specified. For example I have 14 servers registering under my default license pool, although I only have 4 indexers. As long as you turn off indexing on everything else this should be fine and you will only see hits against your license from your indexers.

I would validate the settings on your servers that are not showing up in the pool to see if maybe you typo'd a setting. From the GUI go to Settings - Licensing - Switch to Slave. If you are already set as a slave, change yourself to a local master, and then reset it back as a slave making sure your settings are correct. (alternatively, these settings are stored in your server.conf file).

As for the licensing itself, if things are not balanced across your indexers evenly I would check your outputs files across the deployment to ensure that you are appropriately set to auto load balance across all four indexers. It could be that the events are going to one server over another because of this.

If these settings are valid and you are still seeing it unevenly balanced, check your splunkd.log and verify that you are not showing errors in TCPOut / TCPIn that says you were unable to connect to X server.

Sorry this one is a bit all over the place, since it could be a couple of different issues. Now if you mean you are actually going over your license, you might want to talk with your Splunk Account rep about pulling your events under the license or getting a larger license.

Hope this helps!

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...