Installation

Do pool warnings cause violations?

BenAveling
Path Finder

I have:

Current
1 pool warning reported by 1 indexer Correct by midnight to avoid violation Learn more
Permanent
1 license window warning reported by 1 indexer 11 hours ago

The license warning I understand. I indexed too much data for the license. OK, my bad.

I don't understand the pool warning. If it is just telling me about the permanent license warning (violation), then why is it telling me to "Correct by midnight to avoid violation"?

Is the pool warning about the license warning going to cause a 2nd permanent warning (violation)?

Labels (2)
1 Solution

lukejadamec
Super Champion

I think you will find the answers to all of your license questions here:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations

I believe the answer to your question is No. In this case a pool warning is a notification that you had a problem the day before.

Check Manager>Licensing and scroll down to the % slider to see if you are in violation for the current day.

View solution in original post

lukejadamec
Super Champion

I think you will find the answers to all of your license questions here:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations

I believe the answer to your question is No. In this case a pool warning is a notification that you had a problem the day before.

Check Manager>Licensing and scroll down to the % slider to see if you are in violation for the current day.

pierrejordonnel
Explorer

I downvoted this post because this really doesn't explain what is going on and how to make it stop. it really just talks about a vague policy that you need to talk to an engineer to figure out what exactly is going on.

0 Karma

lukejadamec
Super Champion

I was able to confirm this today. A pool warning is simply a warning that you might have a problem, and it will occur the day after you exceed you're license volume.

0 Karma

BenAveling
Path Finder

I haven't gone over the limit since the first time, 4 days back.

Licensed daily volume 500 MB
Volume used today 38 MB (7.522% of quota)

Events indexed: 9,039,679

Most of those events were on the 1st day.

0 Karma

lukejadamec
Super Champion

I think the pool warning you were seeing was basically a notification that you exceeded you license limit the day before, and that there may be a problem you need to correct.

0 Karma

BenAveling
Path Finder

4 days later, nothing has happened yet.

Seems that the message is wrong/buggy.

0 Karma

lukejadamec
Super Champion

A pool warning only applies when you have a pool.

Issuing a pool warning without an active pool is a Splunk bug.

0 Karma

linu1988
Champion

Pool warning is not about only license size, other factors like bad source type, bad design for the indexing, unknown data type also causes the warning. If it occurs more than 3 times the violation occurs and search functionality is blocked but the indexing continues.
Best way to tackle it is resolve the issue as soon as it occurs. SOS/Deployment monitor app is very useful in that case.

0 Karma

lukejadamec
Super Champion

The license rules are actually very simple.
If you exceed x number of violations in 30 days, then you can't search. I believe x=3 for a free license, and x=5 for an enterprise license.
Each license violation will roll on it's own 30 day schedule, so if you keep less than the limit over a rolling 30 day period then you'll be fine.
A license violation is defined on a day to day basis - if you go over your limit, then it will stick around for 30 days.
"Permanent" may stick around longer, but it will only affect your ability to sleep.

0 Karma

BenAveling
Path Finder

No issues today.

Licensed daily volume 500 MB
Volume used today 35 MB (7.07% of quota)

When you say the answer is "yes", do you mean "yes, the pool warning is only talking about the license warning", or "yes, the pool warning is going to turn into a 2nd permanent warning"?

The page you linked to, and the answers to some other questions suggest that the pool warning is harmless, and is just bad UI design. But it isn't quite clear.

I guess I'll find out tomorrow.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...