Installation
Highlighted

License Pool Violation - After Search is disabled on a license pool due to 5 violations, does the continued indexing count towards the remaining quota from other pools?

Explorer

I am looking for a little clarity on this...

Like many folks here, I have carved out a small part of our total license volume for QA. For simplicity's sake, lets say, I have a 20GB/day license and I carve off 5GB/day for QA. But...one of our QA servers goes nuts and starts spewing crazy amounts of log data.

I know that if the QA_Pool license volume is violated 5 times in a 30-day period, then the search functionality for that pool stops working until one of those violations rolls off. That's fine...I get that.

What I don't quite get is this: Even though the QA box that is spewing logs has blasted through the QA_Pool license volume, it will continue to spew and continue to get indexed...right? And that indexing goes against our TOTAL license volume...so, even though we have the QA pool capped at 5GB, it doesn't prevent a runaway QA machine from blowing through our Full license volume all by itself.

Right? If so...is there an automated way to fix this? We are alerting when the license volumes hit 75%, but it's still a manual process to: 1) Figure out which QA box is spewing the data, 2) Log into that box and shut down the splunk forwarder.

Or am I missing something here?

Thanks in advance!

Labels (1)
Highlighted

Re: License Pool Violation - After Search is disabled on a license pool due to 5 violations, does the continued indexing count towards the remaining quota from other pools?

Splunk Employee
Splunk Employee

Once an individual pool reaches 5 license violations (3 for the Free Version and 5 for Enterprise) in a 30 day period search is disabled, and indexing continues. The volume from the continued indexing does not count towards any other quota (other pools)... So the QA box can spew it's head off until you figure out how to stop it...but it will not blow out your other pool(s). It does not go against some kind of umbrella quota... Once you create a pool with 5GB and a pool with 15GB you now have two independent license pools...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Highlighted

Re: License Pool Violation - After Search is disabled on a license pool due to 5 violations, does the continued indexing count towards the remaining quota from other pools?

Explorer

Ohhh...that makes much more sense. I didn't pick that up from the documentation.

Now if QA blows through their license pool, but not our corporate license...is there a way for us to internally reset their "License Violations Count"? It is, after all, a self-induced limitation.

Thanks for the info!

-Emmett

0 Karma
Highlighted

Re: License Pool Violation - After Search is disabled on a license pool due to 5 violations, does the continued indexing count towards the remaining quota from other pools?

Splunk Employee
Splunk Employee

Good question. There's no way for you to reset a pool (although, I would imagine you could remove the pool and re-create it... ). The License "reset" is in the form of a license that you add... so theoretically it's going to reset all to day 1 of the 30 day clock.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: License Pool Violation - After Search is disabled on a license pool due to 5 violations, does the continued indexing count towards the remaining quota from other pools?

Splunk Employee
Splunk Employee

If that answers your question, please accept my answer. 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma