Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk licensing pool warning not clearing

Ghostoverflow25
Engager
a week ago

Hi,

I accidentally uploaded too much data on one day (a jsonl file) and violated the 500mb limit in place for the splunk enterprise trial. As such, it generated a pool warning:

(info)Correct by midnight to avoid violation Learn moreThis pool contains peer(s) with 1 warning(s)splunkauto_generated_pool_download-trialdownload-trialpool_warning_count

After UTC passed, it generated a "permanent" record with:

Sep 29, 2025, 12:00:00 AM
(2 hours ago)		This pool has exceeded its configured poolsize=524288000 bytes. A warning has been recorded for all memberssplunkauto_generated_pool_download-trialdownload-trialpool_over_quota

However, the first warning did not clear (the info one). Will i continue to receive permanent warnings from this, or can i simply leave it and not repeat my mistake?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thahir
Communicator
a week ago

Hi @Ghostoverflow25 

Since you have exceeded the license limit once, this is not an immediate issue. The warning message will remain visible for a period of time and will eventually clear. but ensure that you do not exceed the daily license usage limit again.

If you generate three or more warnings in a rolling 30-day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
yesterday

Here is documentation what happening when you have license violations and when those are real violations and when those are more or less informative messages.

https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/9.3/manage-splunk-licenses/abou...

e.g. with Splunk Free there is this limitation:

If you generate three or more warnings in a rolling 30-day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.

So after three warnings within 14 calendar days your searches have blocked until there is max two warning in 14 days.

But e.g. with Enterprise with more than 100GB/d license you can still search even you have more than 45 breaches within rolling 60 day period. Of course you must contact to Splunk and agree for additional license quota.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
Thursday

Hi @Ghostoverflow25 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution
Solution

thahir
Communicator
a week ago

Hi @Ghostoverflow25 

Since you have exceeded the license limit once, this is not an immediate issue. The warning message will remain visible for a period of time and will eventually clear. but ensure that you do not exceed the daily license usage limit again.

If you generate three or more warnings in a rolling 30-day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
a week ago

Hi @Ghostoverflow25 ,

if you exceed the license limit only one time, it isn't a problem, even if you have the warning for all the day,

Put attention only to one thing: using the Trial License, you can exceed the license only two times in 30 solar days, at the third exceeding, searches will be blocked, and anyway, after 60 days some features will expire.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
a week ago

Hi @Ghostoverflow25 

However, the first warning did not clear (the info one). ---- no need to worry. 

wait for one more day, it will clear. also it is the first warning, right, so no problems at all. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...