We are using a standalone environment and one of the indexes has exceeded the daily license volume (50 GB) and indexed around 82 GB which had caused the warning 2 weeks with the message "Correct by midnight to avoid violation". Since then, I have been seeing the warning everyday, the index which exceeded the daily license volume has not been properly indexing the data, and I'm missing lots of events while I am searching.
Our Environment - Stand Alone
License version - 6.1.3
No of pools - 1
License purchased - 50 GB /day
License violation - 1 day (indexed 86 GB with license of 50 GB)
How do I get rid of this warning, and are missing events from some of the hosts in that index actually due to the license violation?
Please suggest what to do.
Sorry for the grammar and Thanks in Advance.
Contact Support for a license reset key. Make sure you are not continually exceeding you daily license limit. You are allowed 3 violation per month.
I have exceeded only 1 time this month. So contacting support for reset key is the only option or is there anyway i can resolve the situation?
Have you reviewed the documentation here? If you are an enterprise customer (which it sounds like you are), you get 5 daily licensed indexing volume violation in a rolling 30 day period.
Splunk does not ever suspend indexing as a result of a license violation. If you reach 5 violations in a 30-day period, search will be disabled, but indexing will continue.
You will only need a reset key if you maxed out your violations, i.e. if you do not ensure that you stay within your licensed daily limit.