We are getting a pool_over_quota license alert that is growing every day. Our reporting hasn't changed but the reported "Volume used" is increasing everyday by about the amount that we should be using in a day (e.g. instead of showing 10G used each day, on Monday it showed 10G, on Tuesday is show 20G, Wednesday 30G, etc). It seems the usage counter is not resetting or rolling over at midnight.
I ran the following search (derived from another splunk answers post)
index=_internal source=*license_usage* type=RolloverSummary
and it shows no events since the 14th.
How can we fix this and will we need a reset license (as mentioned in http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Aboutlicenseviolations#What_are_license_viol...) to do so?
Thanks for any help
Assuming this is a distributed environment, I've seen this issue occur when internal logs from the license master are not making it to the indexing tier. For whatever reason this resulted in the license usage never resetting and adding each day, like you're describing here.
This issue was resolved by adding an outputs.conf to forward the logs from the license master to the indexers (and restarting Splunk on the license master).
If you're not able to search for logs from your license master from your search head this might be the case in your environment that's causing the issue.
I know this post is a little old, but did you ever find the solution? We are having the same issue and I have tried the outputs.conf file route. I implemented this today so I will see in the morning once the license usage resets if this worked, but in case it doesnt, can you provide the fix?
I built my .conf file exactly like it is in the "indexer" manual; the best practice for master node section. Not sure if this was right to do or not but I figured it seemed generic enough that I could used as it was.
Any tips on a good output.conf stanza set?
Try using this :
index=_internal source=*license_usage* type=RolloverSummary pool=auto_generated_pool_enterprise | bucket _time span=1d | stats sum(b) AS volume by _time pool | eval GB = round(volume/1024/1024/1024,2)
This will give you the answer in GB.
Also the Rollover happens around 12:05 AM so try running the above query for 7 days and then you can try it out running this query around 12:15 AM each day.
Let me know if it works.