Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

6.6.1 License Violation due to auto_generated_pool-enterprise

molinarf
Communicator
‎06-21-2017 01:55 PM

There was a license violation because the auto_generated_pool-enterprise had gone over the license of 1GB indexing. For the last month, the indexing volume ranged from .159 to .53. This morning sometime the indexing volume jumped to 1.12 GB. I am trying to determine what caused the sudden jump as now it is back to .16. In the event itself the type was a Rollover Summary. I am not really sure where to start looking for the answer.

Configuration:
Windows 2012 R2
Splunk 6.6.1
Single indexer which is the license master

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

molinarf
Communicator
‎07-24-2017 12:12 PM

the problem was with the McAfee log collection. Disabling that collection cleared the problem.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

molinarf
Communicator
‎07-24-2017 12:12 PM

the problem was with the McAfee log collection. Disabling that collection cleared the problem.

0 Karma
Reply
Solved! Jump to solution

molinarf
Communicator
‎06-21-2017 03:07 PM

I looked at the License Usage report for the previous 30 days. Yesterday showed a huge increase and it is in the WinEventLog:Security that pushed it over the edge. When I look at it the host server for Splunk was generating the bulk of it at least from what I could tell. I am not sure it is a local performance monitoring or Local event log collection. I did change the local event log collection to exclude McAfee. Hopefully it fixes the problem.

Thanks for the direction, I'll let you know how it goes.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎06-21-2017 02:24 PM

I suggest that you use the Monitoring Console for an overview of the indexing rate and where the data came from.

There should also be a "Learn More" link in the Licensing pages which will give you more information and a link to the documentation.

Here are a few other links that might be useful:

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Aboutlicenseviolations

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/AboutSplunksLicenseUsageReportView

http://docs.splunk.com/Documentation/Splunk/6.6.1/DMC/DMCoverview

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...