Security

Over license limit, can't see why

staze
Path Finder

With the 4.2 update, something has gone sideways, and made me violate my free license every day since the update. The problem is, I can't see why since search is disabled. And given there are 9 violations, I'm going to have a while to wait until I can search again.

But, putting that aside, I'm curious about an error the license manager is throwing.

"This pool contains 71 slave/s in violation". (as a note, this number continues to increase. it now reads 74 slave/s 3 hours later).

I have no slaves (pretty sure I can't even if I wanted to with the free license). And there certainly aren't 71 devices reporting to the server. Makes me wonder if there are multiple indexers trying to run and index the same material multiple times, and that's why I'm going so far over quota. I used to index about 150MB/day with 4.1. Today, alone, 1800MB. So something is wrong.

Any insights? So far, the 4.2 upgrade has been kind of a pain in the butt. =/

Tags (2)

jbsplunk
Splunk Employee
Splunk Employee

There is a topic relevant to troubleshooting indexing volume here:

http://www.splunk.com/wiki/Community:TroubleshootingIndexedDataVolume

The searches listed at this link should probably help you locate the source of your volume issues. You may want to contact support to have a license key reset issued. We can issue one of those and get you searching again, but you should be able to search the internal indexes to at least figure out what is happening presently.

0 Karma

staze
Path Finder

this is the free license. It's not possible to have slave indexers from what I can tell. so this whole thing seems rather... broken.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

I would probably follow the instructions here on only allowing specific indexers to connect. Splunk thinks that other indexers/forwarders are connecting and using the license pool.

link:

http://www.splunk.com/base/Documentation/latest/Admin/Addanindexertoalicensepool

0 Karma

staze
Path Finder

great, I'll do that. Though, any idea about the slave/s warning? There are no slaves...

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...