Deployment Architecture

Why did a license slave indexer receive a license violation when the indexing volume is still less than the license volume limit.

Masa
Splunk Employee
Splunk Employee

I have 20GB license in my license master. And, I made an indexer as a license slave to the master.
The indexer indexes about 1GB daily.

Since I made the indexer license slave, I receive license violation warning every day. The license pool volume usage is about 13GB every day. Why did I receive license violation for the indexer every day?

1 Solution

Masa
Splunk Employee
Splunk Employee

Please check the license master's Manager --> Licensing, and make sure you see the slave in the pool while you can see other indexers under the pool.

If not, please click "Edit" of the license pool and see if the indexer is assigned to the pool. If you have set the pool to "Specific Indexers", not "Any Indexer that connects", you have to assign the slave indexer to the pool manually.

So, if the slave did not belong to any pool, the slave was entitled to zero volume license. As a result, the slave indexer received a license violation every day.

Or, if the license slave was disconnected over 24 hours, the indexer will get a license violation. In that case, you can find a warning message in the slave indexer's splunkd.log.

View solution in original post

Masa
Splunk Employee
Splunk Employee

Please check the license master's Manager --> Licensing, and make sure you see the slave in the pool while you can see other indexers under the pool.

If not, please click "Edit" of the license pool and see if the indexer is assigned to the pool. If you have set the pool to "Specific Indexers", not "Any Indexer that connects", you have to assign the slave indexer to the pool manually.

So, if the slave did not belong to any pool, the slave was entitled to zero volume license. As a result, the slave indexer received a license violation every day.

Or, if the license slave was disconnected over 24 hours, the indexer will get a license violation. In that case, you can find a warning message in the slave indexer's splunkd.log.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...