Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting a pool warning for a pool that has 100 meg allocated in a 2 gig license but LM shows only 23 MB indexed today!

wrangler2x
Motivator
‎08-28-2012 11:11 AM

We are sharing 100 megabytes of our 2 gigabytes daily license with another system that monitors an Apache web log. The volume of log data is typically around 25 MB a day. URL/manager/system/licensing page shows only 23 MB used by this pool so far today, but the warning we are getting on the yellow warning bar is:

Daily indexing volume limit exceeded for 1 slaves. See License Manager for details.

Clicking on that the message is:

2 pool warnings reported by 1 indexer   Correct by midnight to avoid violation

Drilling down, we see

indexing quota exceeded for this pool, poolsz=104857600 bytes

Why is that being generated? Had this four times last week. At midnight this will make a fifth violation. Previously the log file was many gigabytes, and based on splunkd.log was getting re-read, so those four I understand. But yesterday I rolled-out that log, and hup'd the Apache server creating the logs, so started with new log file at 0 bytes, now ~23 megs. followtail = 0 in inputs.conf. Any ideas what the heck is going on?

Reply
1 Solution
Solved! Jump to solution
Solution

wrangler2x
Motivator
‎08-28-2012 01:24 PM

I think I get what this is now. The 5 warnings must be the four warnings
we saw yesterday, plus the one generated at midnight last night. So I think
it is announcing not that this pool went over quota today, but that it has
five times in the past.

And the second message must be a confirmation that these 5 warnings
places the pool in violation of the license.

Can anyone confirm if this is what is going on?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

wrangler2x
Motivator
‎08-28-2012 01:24 PM

I think I get what this is now. The 5 warnings must be the four warnings
we saw yesterday, plus the one generated at midnight last night. So I think
it is announcing not that this pool went over quota today, but that it has
five times in the past.

And the second message must be a confirmation that these 5 warnings
places the pool in violation of the license.

Can anyone confirm if this is what is going on?

0 Karma
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎02-12-2013 03:59 PM

That is in fact what was going on.

0 Karma
Reply
Solved! Jump to solution

gryz
Explorer
‎08-28-2012 01:06 PM

Did you switch to a local Master License server at some point?

I had something similar due to switching to a local local master and then back.

To fix it, I had to switch back to local Master , get a reset key and then switched back to being a slave.

Seems similar somehow ...

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...