Indexers frequently going to internal indexes only...

briancronrath · ‎02-18-2024

For the past couple weeks I will at least once per day have one of our indexers go into internal logs only mode, and the reason it states is that License is expired. It's a bogus message since the license definitely is not expired and also not even close to exceeded, and restarting splunk service on the indexer always clears the error. Unfortunately not much more is provided by the splunk logs that would indicate anything I can investigate.

Has anyone ever ran into similar, or might know where I can look to troubleshoot this further? It's making my life pretty tough because I have to constantly be restarting indexers due to this error.

kiran_panchavat · ‎02-21-2024

@briancronrath

I would request you to contact Sales team to get a temporary reset license.

kiran_panchavat · ‎02-21-2024

@briancronrath

Your splunk deployment is encountering license enforcement restrictions because of that you were not able to search the data from the indexers.

License Enforcement: This means Splunk is enforcing limits based on your current license.

45 warnings: You've received 45 warnings for exceeding your limit within a 60-day window.

Search disabled: If you receive 45 more warnings, search functionality will be disabled.

Possible Causes:

Data Ingestion: You might be ingesting more data than your license allows.

License Type: Your current license might not accommodate your data volume or usage needs.

License Pool Quota: If using a license pool, a specific member exceeding its quota could trigger warnings.

kiran_panchavat · ‎02-19-2024

Could you kindly paste the screenshot of the precise error you are receiving?

briancronrath · ‎02-21-2024

Indexers frequently going to internal indexes only due to errant License Expired messages

troubleshooting

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?