Deployment Architecture

Why did a license slave indexer receive a license violation when the indexing volume is still less than the license volume limit.

Masa
Splunk Employee
Splunk Employee

I have 20GB license in my license master. And, I made an indexer as a license slave to the master.
The indexer indexes about 1GB daily.

Since I made the indexer license slave, I receive license violation warning every day. The license pool volume usage is about 13GB every day. Why did I receive license violation for the indexer every day?

1 Solution

Masa
Splunk Employee
Splunk Employee

Please check the license master's Manager --> Licensing, and make sure you see the slave in the pool while you can see other indexers under the pool.

If not, please click "Edit" of the license pool and see if the indexer is assigned to the pool. If you have set the pool to "Specific Indexers", not "Any Indexer that connects", you have to assign the slave indexer to the pool manually.

So, if the slave did not belong to any pool, the slave was entitled to zero volume license. As a result, the slave indexer received a license violation every day.

Or, if the license slave was disconnected over 24 hours, the indexer will get a license violation. In that case, you can find a warning message in the slave indexer's splunkd.log.

View solution in original post

Masa
Splunk Employee
Splunk Employee

Please check the license master's Manager --> Licensing, and make sure you see the slave in the pool while you can see other indexers under the pool.

If not, please click "Edit" of the license pool and see if the indexer is assigned to the pool. If you have set the pool to "Specific Indexers", not "Any Indexer that connects", you have to assign the slave indexer to the pool manually.

So, if the slave did not belong to any pool, the slave was entitled to zero volume license. As a result, the slave indexer received a license violation every day.

Or, if the license slave was disconnected over 24 hours, the indexer will get a license violation. In that case, you can find a warning message in the slave indexer's splunkd.log.

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...