Hi
I'm running a trial of Splunk 4.2.4 on our webserver - just one installation, with no forwarders and not pulling any data from separate machines.
I had a problem with my log files yesterday, and resolved it by adding crcSalt=<SOURCE>
to my IIS logfile data inputs - unfortunately I forgot to remove the already-indexed logs, so duplicated a lot of data and exceeded my license amount.
Today I'm getting a second license alert, with the warning This pool contains slave(s) with 1 warnings
. I can't think what this could be referring to, and I'm not sure how to check. I know that if I hit the warning again tomorrow, I'll potentially lose search for 30 days.
Any/all help much appreciated!
Thanks, Adam
Update
I've installed the deployment monitor app, and backfilled the data - it's reporting 0 forwarders, 1 indexer and 1 license pool.
I've just noticed that if I log into splunk.com, my account is listed as having no evaluation licenses. Could that be it? I only installed the trial copy 3 days ago and it should be good for 60 days on the trial.
I got to the bottom of my licence warning.
My goal in trialling Splunk was to monitor our live webserver, web1. I originally set up the Splunk trial on an internal server, with a universal forwarder on web1 sending the data to Splunk. I soon realised this wasn't going to work, as the Splunk trial sees this as a violation.
Instead, I installed Splunk on web1 directly. However, I neglected to stop the Splunk daemon on my previous installation. It turns out the licence is issued to the Splunk.com user - not to each trial usage - so the Splunk was aware that my trial licence was in use on two indexing servers.
Disabling the old installation fixed the problem. Hope this helps someone!
I'm getting something similar, but not quite the same:
This pool contains slave(s) with 0 warning(s)
I have only one instance of Splunk running, there are no slaves. It's installed on my syslog server. I hadn't noticed this message until today, after I changed my trial license to the free one. Is this something I should be addressing?
I have the same message, how did you solve it? (I have 2GB licence)
I didn't resolve it. It's still there, but my install has not stopped working either.
I got to the bottom of my licence warning.
My goal in trialling Splunk was to monitor our live webserver, web1. I originally set up the Splunk trial on an internal server, with a universal forwarder on web1 sending the data to Splunk. I soon realised this wasn't going to work, as the Splunk trial sees this as a violation.
Instead, I installed Splunk on web1 directly. However, I neglected to stop the Splunk daemon on my previous installation. It turns out the licence is issued to the Splunk.com user - not to each trial usage - so the Splunk was aware that my trial licence was in use on two indexing servers.
Disabling the old installation fixed the problem. Hope this helps someone!
@gekoner thanks for your time, I've updated my question
Install Deployment Monitor App or check your splunkd.log on the license.master and the license.slave