1) Actually, in my project we are using 20 GB license. last week we were getting an alert " License warning issued within past 24 hours ".
earlier we did not get any violation alert. How to check deeply on this.
2) And if i was pulling 2 years of data on splunk search head. Is this enough 20 GB license?
3) if i was pulled 2 years data with 20 GB license. may I get the violation alert or not ?
Monitoring License usage has been solved many times, including:
License Master: Settings -> Licensing -> Usage Report Monitoring Console: Indexing -> License Usage Meta Woot! (can track license usage by host): https://splunkbase.splunk.com/app/2949/ Alerts for Splunk Admins (LcenseMaster alerts): https://splunkbase.splunk.com/app/3796/
You can see the detail of your indexed on your search head server in the "Settings" "Licesing" "Usage Report" part
There you will see graphs with the detail of your indexed daily, you can see the total GB of your license and when you are using the day
in real time.
Remember that in a period of 30 days you can have a maximum of 5 violations.
If for any reason you exceed the 5 violations you enter into a serious issue of violations where at any time
will stop indexing the information and you will not be able to perform searches.
So you will need to contact the splunk support team to send you a "reset" license
you shoud plan your license usage watching the data indexed in a period not the data indexed in a day especially the first one where you indexed also old data: so the best approach is to analyze flows of data indexed in two or three working days, so you can understand if the 20GB/day license is the correct one for you.
Anyway, if you exceed the limit, you have a warning (the one you received); if you exceed the limit for 5 times in 30 solar days you are in violation, but this means only that you have the violation message, indexing and searching continue without problem.
You can read the license conditions at https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Aboutlicenseviolations and https://www.splunk.com/en_us/legal/splunk-software-license-agreement.html .
you can use the search in the License Usage Panel divided by sourcetype [Settings -- Licensing -- Usage Report -- Previous 30 days -- Split by sourcetype].
In this way you can understand the data that you indexed in the last 30 days for each kind of source (sourcetype) and you can plan your license and storage.
This is a simplified version of that search:
index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by st fixedrange=false | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]