Splunk Search

My Splunk Light license expired, so I switched to free, but why did I immediately get license violations and search was disabled?

staze
Path Finder

All,

I had Splunk Light installed (version 6.4.0). Tried to log in, but noticed that the license had expired, so I switched to free. Great. Now I get:

This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool contains slave(s) with 16 warnings
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members
This pool contains 1 slave/s in violation
This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members

And search doesn't work (if I try to search, I just get no results, rather than a disabled warning). I am assuming these are license violations (though they don't say that specifically), and since I just got 16 of them, even though I don't get anywhere NEAR 500MB/day with this install (more like 15MB/day, at most), I'm assuming I won't get search for 30 days?

Please advise. This is running on a Mac (10.11.5). Thanks!

0 Karma
1 Solution

staze
Path Finder

Splunk support, Robb, was able to get me through the process. Couple licenses, couple restarts, then a switch back to free, and it works great.

Thanks!

View solution in original post

0 Karma

staze
Path Finder

Splunk support, Robb, was able to get me through the process. Couple licenses, couple restarts, then a switch back to free, and it works great.

Thanks!

0 Karma

hvspa
New Member

hi, how can i contact Robb or someone else from Splunk support to help me with the same problem? i kind a did not loginto the system for few days and now after switching to free license, i am stuck with following messages and search does not work, even though my usage is 15% (80mb per day):

Nov 2, 2019, 12:00:00 AM
(15 hours ago) This pool has exceeded its configured poolsize=0 bytes. A warning has been recorded for all members core auto_generated_pool_download-trial download-trial pool_over_quota

please, who can i contact to get help on this?

0 Karma

staze
Path Finder

Got an answer back from Splunk support that this may be a known issue with license replacement/expiration. They are going to get me a license extension so I can more gracefully convert to the free license. Will post back...

0 Karma

ddrillic
Ultra Champion

Apparently the best thing to do is to reinstall Splunk.

The issue of This pool has exceeded its configured poolsize=0 bytes and the solution are at - License Free and pool size

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Based on the messages, one of your indexers was configured with a license pool of zero bytes (probably no pool at all) for sixteen days. That caused sixteen license warnings, iirc having more than three warnings in a 30-day window is a license violation for the free license.

Make sure your indexers all have sufficiently large license pools now to avoid new warnings on each new day. Then you'd have to wait for enough warnings to age out of the 30-day window.

In theory there are license violation reset keys, though I don't know of anyone ever getting one for a free license. According to your profile text you work for a US university? If you're an Internet2 member you should check out http://www.internet2.edu/products-services/cloud-services-applications/splunk/

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...