Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

License server work principles

guahos
Explorer
‎03-27-2016 12:45 PM

Hello!
I am planning the following setup:
3 single-site indexing clusters in 3 separate locations and Deployment/License server and the Search Head at one of 3 sites.
And I have a couple of questions regarding License server work principles:
- How does it actually count the amount of stored logs? Does indexing peers send the information about how much data they have stored to the License server? Or does Cluster master send that info? Or forwarders send the info about how much data have they forwarded to indexers?
- What will happen if the License server goes down? Will data still be storing into indexers while License server is down? Would searching be available while License server is down?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfuente
Motivator
‎03-28-2016 01:12 AM

Hello

The indexers are the nodes that report how much they are indexing. If an indexer can`t connect to the License Server in 24 hours, it will generate a warning (the same as if you index more than your total license volume)

The indexers will never stop indexing data due to license issues.

Regards

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nkourtidis_splu
Splunk Employee
Splunk Employee
‎06-05-2018 04:56 AM

The right answer is 72 hours and can be found here:

http://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Aboutlicenseviolations#About_the_connection_...

the license slaves communicate their usage to the license master every minute. If the license master is down or unreachable for any reason, the license slave starts a 72 hour timer. If the license slave cannot reach the license master for 72 hours, search is blocked on the license slave (although indexing continues)

Reply
Solved! Jump to solution
Solution

gfuente
Motivator
‎03-28-2016 01:12 AM

Hello

The indexers are the nodes that report how much they are indexing. If an indexer can`t connect to the License Server in 24 hours, it will generate a warning (the same as if you index more than your total license volume)

The indexers will never stop indexing data due to license issues.

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...