I just set up Splunk yesterday, running the free edition for now. I'm indexing about 100-150MB a day tops. Yesterday I loaded up a bunch of historical data and got a violation as expected, however today I'm now seeing "This pool contains slave(s) with 1 warnings" as a current alert telling me to correct before midnight with absolutely ZERO indication as to what the real issue is, along with the expected permanent violation.
What gives here? I have no slaves, just forwarders, and currently the licensing manager is showing our volume used today as 114 MB out of the 500MB quota. Am I going to get another violation for uh, not violating the license? If that's not the case, this should really be reworded to not raise alarm.
Splunk will "remember" a license violation for 30 days. A warning message for this violation will show for 14 days. See more here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations
This is not my strongest subject, but if I recall correctly all installation have a license master and a license slave, even single-box setups. The master holds a license pool, and slaves can draw from it.
Re how this has been designed - yes, I think any such suggestions would be better directed at Splunk staff directly instead of here (I'm no Splunk employee myself).
That seems like bad design to me, specifically the wording that it's a current violation that must be corrected by midnight, rather than a prior violation that has already caused a strike and can be ignored at this point.
Also, the docs are very clear that when a message like this shows up, you will get a strike; it said basically nothing about displaying errors from a single system like this. There are no slaves, so a message about slaves is nonsensical.
Ah well, though. I'll poke at the Splunk folks on the wording here once we've bought Splunk Enterprise.