Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Why do I get license violations on LWFs with the f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have license violations on a couple of our LWFs allthough I think they are set up with the correct forwarding license. The peak usage on most of them is around 4 MB. Is there a possibility to anaylyze this? Will the LWFs stop forwarding data once a threshold is reached?
Thanks for helping me
Chris
This is the output on the shell from one of the forwarders:
admin@lwf /opt/splunkforwarder
$ cat etc/splunk.license
@splunk.com;RV75Gkp9e37JQYTcBsllG+bUSUqGmAud3KqtF48TIIBny6XkjbQjGMzNg1/ 9TkDh5pgaqgpZ8idLCEYstbBph5q2VBYWfnWJpC42dPcmfzlkQcaR7MhSbMeK6P4EjEvbE4xH6tvdbfq ukQCg7N8rY0x/4YX9bKD/jhq0ETWFm1P74wyt6ZfBSdrT/J1midPvZEWIPN6ivoyYQMVNoYJHZDIyFzZ KprYLmLmbZamBrgYsm6rV+JrmUS0l/ltU0DWhaiLVdcF3iUWthgUlSZebGSSn7Wh+efs3XhD3kerwCGs Nr1dv+P4rmD7rcWhTvWexuh0u2/985QihMnZgwYwUNg==
admin@lwf /opt/splunk
$ bin/splunk show license
Current Daily Usage Amount: 0
Expiration date: 2011-03-08T07:07:37+0100
Expiration State: ok
License level: 1 MB
Product: Enterprise
License violations:
2010-11-11T00:02:42+0100 License violation #12
2010-11-08T00:00:05+0100 License violation #11
2010-11-05T00:00:03+0100 License violation #10
2010-11-02T00:05:00+0100 License violation #9
2010-10-31T00:04:58+0200 License violation #8
2010-10-28T00:04:55+0200 License violation #7
2010-10-25T00:04:54+0200 License violation #6
2010-10-23T00:04:53+0200 License violation #5
2010-10-20T00:04:45+0200 License violation #4
2010-10-17T00:04:41+0200 License violation #3
2010-10-14T00:04:38+0200 License violation #2
2010-06-09T00:02:52+0200 License violation #1
Max Violations:
Peak usage: 4 MB
Days remaining: 116 day(s)
Violation Period:
admin@lwf /opt/splunk
$ bin/splunk display local-index
Local indexing is disabled.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your forwarder license is expired...
on 4.1.* please use this fix.
http://splunk-base.splunk.com/answers/12167/why-is-the-license-on-the-forwardersearch-head-displayin...
on 4.2.0, upgrade to 4.2.1 or above.
otherwise change your license group to "forwarder"
(remove the file $SPLUNK_HOME/etc/licenses/enterprise/splunk.license )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your forwarder license is expired...
on 4.1.* please use this fix.
http://splunk-base.splunk.com/answers/12167/why-is-the-license-on-the-forwardersearch-head-displayin...
on 4.2.0, upgrade to 4.2.1 or above.
otherwise change your license group to "forwarder"
(remove the file $SPLUNK_HOME/etc/licenses/enterprise/splunk.license )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am seeing the same behaviour. It seems to have occurred after I switched to load balancing between a pair of Splunk Indexers.
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
