Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

6.6.1 License Violation due to auto_generated_pool-enterprise

molinarf
Communicator
‎06-21-2017 01:55 PM

There was a license violation because the auto_generated_pool-enterprise had gone over the license of 1GB indexing. For the last month, the indexing volume ranged from .159 to .53. This morning sometime the indexing volume jumped to 1.12 GB. I am trying to determine what caused the sudden jump as now it is back to .16. In the event itself the type was a Rollover Summary. I am not really sure where to start looking for the answer.

Configuration:
Windows 2012 R2
Splunk 6.6.1
Single indexer which is the license master

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

molinarf
Communicator
‎07-24-2017 12:12 PM

the problem was with the McAfee log collection. Disabling that collection cleared the problem.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

molinarf
Communicator
‎07-24-2017 12:12 PM

the problem was with the McAfee log collection. Disabling that collection cleared the problem.

0 Karma
Reply
Solved! Jump to solution

molinarf
Communicator
‎06-21-2017 03:07 PM

I looked at the License Usage report for the previous 30 days. Yesterday showed a huge increase and it is in the WinEventLog:Security that pushed it over the edge. When I look at it the host server for Splunk was generating the bulk of it at least from what I could tell. I am not sure it is a local performance monitoring or Local event log collection. I did change the local event log collection to exclude McAfee. Hopefully it fixes the problem.

Thanks for the direction, I'll let you know how it goes.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎06-21-2017 02:24 PM

I suggest that you use the Monitoring Console for an overview of the indexing rate and where the data came from.

There should also be a "Learn More" link in the Licensing pages which will give you more information and a link to the documentation.

Here are a few other links that might be useful:

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Aboutlicenseviolations

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/AboutSplunksLicenseUsageReportView

http://docs.splunk.com/Documentation/Splunk/6.6.1/DMC/DMCoverview

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...