- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- Re: invalid license manager volume - license excee...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
invalid license manager volume - license exceeded
Running build 4.3.3
I need a way to reset the license counter volume.
I'm not seeing any daily 'limit exceeded' errors at this point (I did see that one day last week).
The daily license counter is now up to 930GB...doesn't seem to reset at the 24 hour mark.
Yesterday it was 915, the day before 905...
But I'm getting a error:
‘skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied….’
Could this be the root cause of the license volume issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Paula - there is no published way of resetting your license counter to my knowledge. If you get limits exceeded the requisite number of times in a month then you probably know(?) what happens to your indexing etc? If you are working at those levels then you are clearly not on the free versions, so probably have an enterprise license. Call Splunk or your 3rd party.
You still need to resolve where your issues are coming from - Splunk doesn't arbitrarily continue the volume count, it cycles over each midnight local time.
Run some searches in the 'Search Splunk Answers' for your specifics. I found the following:
index=_internal sourcetype=splunkd source=metrics "group=per_sourcetype_thruput" NOT series="filetrackercrclog" NOT series="splunk*" NOT series="audittrail" NOT series="scheduler" NOT series="searches" NOT series="stash" | eval events=eps*kb/kbps | stats sum(events) as events sum(kb) as kb by series | eval events=round(events,0) | eval kb=round(kb,1)
from Lowell posted way back, so credits to them...
and even hand crafting building on from index="_internal" | timechart sum(kb) by series might give you an insight.
Good luck & BR
D
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same issue. I was trying to clarify it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Paula - did you rewrite your question?? This wasn't the issue faced yesterday, true?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Paula - you could start looking at which index and where the volume is coming from. Splunk on Splunk will also give you a lot more info, business spikes aside but not ignoring them - we had a rather eye-opening time during an intrusion detection (pen testing) exercise on firewalls for example!
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
