Installation

Why is license usage not resetting at midnight and is rolling over to the next day?

tim_recurly
Engager

We are getting a pool_over_quota license alert that is growing every day. Our reporting hasn't changed but the reported "Volume used" is increasing everyday by about the amount that we should be using in a day (e.g. instead of showing 10G used each day, on Monday it showed 10G, on Tuesday is show 20G, Wednesday 30G, etc). It seems the usage counter is not resetting or rolling over at midnight.

I ran the following search (derived from another splunk answers post)

index=_internal source=*license_usage* type=RolloverSummary

and it shows no events since the 14th.

How can we fix this and will we need a reset license (as mentioned in http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Aboutlicenseviolations#What_are_license_viol...) to do so?

Thanks for any help

Labels (1)
Tags (2)

govardha
Path Finder

I have this problem too in 8.0.6 but no idea why it is happening.

0 Karma

tkopchak
Path Finder

Assuming this is a distributed environment, I've seen this issue occur when internal logs from the license master are not making it to the indexing tier. For whatever reason this resulted in the license usage never resetting and adding each day, like you're describing here.

This issue was resolved by adding an outputs.conf to forward the logs from the license master to the indexers (and restarting Splunk on the license master).

If you're not able to search for logs from your license master from your search head this might be the case in your environment that's causing the issue.
index=_internal host=license_master_name

0 Karma

mgiddens
Path Finder

I know this post is a little old, but did you ever find the solution? We are having the same issue and I have tried the outputs.conf file route. I implemented this today so I will see in the morning once the license usage resets if this worked, but in case it doesnt, can you provide the fix?

I built my .conf file exactly like it is in the "indexer" manual; the best practice for master node section. Not sure if this was right to do or not but I figured it seemed generic enough that I could used as it was.
Any tips on a good output.conf stanza set?

Thank you.

  • mgiddens
0 Karma

vr2312
Contributor

Hey @tim_recurly

Try using this :

index=_internal source=*license_usage* type=RolloverSummary  pool=auto_generated_pool_enterprise | bucket _time span=1d | stats sum(b) AS volume by _time pool |  eval GB = round(volume/1024/1024/1024,2)

This will give you the answer in GB.

Also the Rollover happens around 12:05 AM so try running the above query for 7 days and then you can try it out running this query around 12:15 AM each day.

Let me know if it works.

0 Karma

Amandeepsin
New Member

Hi,

This doesn't help at all. Do we have some other fix

Thanks,

0 Karma

yannK
Splunk Employee
Splunk Employee

This is 1 year old, is it still a problem ?

0 Karma

Amandeepsin
New Member

Hi,

I am facing this problem too

Thanks

0 Karma