I have:
Current
1 pool warning reported by 1 indexer Correct by midnight to avoid violation Learn more
Permanent
1 license window warning reported by 1 indexer 11 hours ago
The license warning I understand. I indexed too much data for the license. OK, my bad.
I don't understand the pool warning. If it is just telling me about the permanent license warning (violation), then why is it telling me to "Correct by midnight to avoid violation"?
Is the pool warning about the license warning going to cause a 2nd permanent warning (violation)?
I think you will find the answers to all of your license questions here:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations
I believe the answer to your question is No. In this case a pool warning is a notification that you had a problem the day before.
Check Manager>Licensing and scroll down to the % slider to see if you are in violation for the current day.
I think you will find the answers to all of your license questions here:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutlicenseviolations
I believe the answer to your question is No. In this case a pool warning is a notification that you had a problem the day before.
Check Manager>Licensing and scroll down to the % slider to see if you are in violation for the current day.
I downvoted this post because this really doesn't explain what is going on and how to make it stop. it really just talks about a vague policy that you need to talk to an engineer to figure out what exactly is going on.
I was able to confirm this today. A pool warning is simply a warning that you might have a problem, and it will occur the day after you exceed you're license volume.
I haven't gone over the limit since the first time, 4 days back.
Licensed daily volume 500 MB
Volume used today 38 MB (7.522% of quota)
Events indexed: 9,039,679
Most of those events were on the 1st day.
I think the pool warning you were seeing was basically a notification that you exceeded you license limit the day before, and that there may be a problem you need to correct.
4 days later, nothing has happened yet.
Seems that the message is wrong/buggy.
A pool warning only applies when you have a pool.
Issuing a pool warning without an active pool is a Splunk bug.
Pool warning is not about only license size, other factors like bad source type, bad design for the indexing, unknown data type also causes the warning. If it occurs more than 3 times the violation occurs and search functionality is blocked but the indexing continues.
Best way to tackle it is resolve the issue as soon as it occurs. SOS/Deployment monitor app is very useful in that case.
The license rules are actually very simple.
If you exceed x number of violations in 30 days, then you can't search. I believe x=3 for a free license, and x=5 for an enterprise license.
Each license violation will roll on it's own 30 day schedule, so if you keep less than the limit over a rolling 30 day period then you'll be fine.
A license violation is defined on a day to day basis - if you go over your limit, then it will stick around for 30 days.
"Permanent" may stick around longer, but it will only affect your ability to sleep.
No issues today.
Licensed daily volume 500 MB
Volume used today 35 MB (7.07% of quota)
When you say the answer is "yes", do you mean "yes, the pool warning is only talking about the license warning", or "yes, the pool warning is going to turn into a 2nd permanent warning"?
The page you linked to, and the answers to some other questions suggest that the pool warning is harmless, and is just bad UI design. But it isn't quite clear.
I guess I'll find out tomorrow.