About license violations
This topic discusses license violations, how they occur, and how to resolve them. Before you proceed, you might want to review these topics:
- Read Types of Splunk software licenses for information about the new no-enforcement license.
- Read How Splunk Enterprise licensing works for an introduction to Splunk Enterprise licensing.
What are license violations and warnings?
Warnings and violations occur when you exceed the maximum indexing volume allowed for your license.
If you exceed your licensed daily volume on any one calendar day, you get a violation warning. If you have 5 or more warnings on an enforced Enterprise license, or 3 warnings on a Free license, in a rolling 30-day period, you are in violation of your license. Unless you are using a Splunk Enterprise 6.5.0 or later no-enforcement license, search is disabled for the offending pool(s). Other pools remain searchable, as long as the total license usage from all pools is less than the total license quota for the license master.
Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply a temporary reset license (available for Enterprise only). To obtain a reset license, contact your sales representative. See Install a license.
Starting with Splunk Enterprise 6.5.0, Enterprise customers can request a no-enforcement license. This license warns you when you exceed your license quota or are in license violation, but it does not disable search. Even during a violation period, search remains enabled. See Types of Splunk software licenses for details.
Note: Summary indexing volume does not count against your license, although in the event of a license violation, summary indexing halts like any other noninternal search behavior. Internal indexes (for example,
_introspection) do not count against your license volume.
If you get a license warning, you have until midnight (going by the time on the license master) to resolve it before it counts against the total number of warnings within the rolling 30 day period.
What happens during a license violation?
During a license violation period:
- Splunk software does not stop indexing your data.
- If you are using a pre-6.5.0 license, Splunk software blocks search while you are in license violation. This restriction includes scheduled reports and alerts.
- If you are using a new no-enforcement license, search continues even while you are in license violation. See Types of Splunk software licenses.
- Searches to the internal indexes are never disabled. This means that you can access the Monitoring Console or run searches against
_internalto diagnose the licensing problem.
What license warnings look like
If indexers in a pool exceed the license volume allocated to that pool, you will see a message in Messages on any page in Splunk Web.
Clicking the link in the message takes you to Settings > Licensing, where the warning displays under the Alerts section of the page. Click a warning to get more information about it.
A similar message displays on license slaves when a violation has occurred.
Here are some of the conditions that generate a licensing alert:
- When a slave becomes an orphan, there is an alert (transient and fixable before midnight).
- When a pool has maxed out, there is an alert (transient and fixable before midnight).
- When a stack has maxed out, there is an alert (transient and fixable before midnight).
- When a warning is given to one or more slaves, there is an alert. The alert stays as long as the warning is still valid within that last 30-day period.
About the connection between the license master and license slaves
When you configure a license master instance and add license slaves to it, the license slaves communicate their usage to the license master every minute. If the license master is down or unreachable for any reason, the license slave starts a 72 hour timer. If the license slave cannot reach the license master for 72 hours, search is blocked on the license slave (although indexing continues). Users cannot search data in the indexes on the license slave until that slave can reach the license master again.
To find out if a license slave has been unable to reach the license master, look for an event that contains
failed to transfer rows in splunkd.log or search for it in the
Avoid license violations
To avoid license violations, monitor your license usage and ensure you have sufficient license volume to support it. If you do not have sufficient license volume, you need to either increase your license or decrease your indexing volume.
The distributed management console contains alerts that you can enable, including one that monitors license usage. See Platform alerts in Monitoring Splunk Enterprise.
Use the License Usage report to see details about and troubleshoot index volume in your deployment. Read about the license usage report view in the next chapter.
Correcting license warnings
If Splunk software tells you to correct your license warning before midnight, your quota is probably already exceeded for the day. This is called a "soft warning." The daily license quota resets at midnight (at which point the soft warning becomes a "hard warning"). You have until then to fix your situation and ensure that you will not go over quota tomorrow, too.
Once data is already indexed, there is no way to un-index data to give you "wiggle room" back on your license. You need to get additional license room in one of these ways:
- Purchase a bigger license.
- Rearrange license pools if you have a pool with extra license room.
- Request a no-enforcement Enterprise license if your license master is running Splunk Enterprise 6.5.0 or later.
If you cannot do any of these, prevent a warning tomorrow by using less of your license. Use the the License Usage Report View to learn which data sources are contributing the most to your quota.
Once you identify a data culprit, decide whether you need all the data it is emitting. If not, read Route and filter data in the Forwarding Data manual.
About metrics license usage
Unlike event data, metrics data counts against a license at a fixed 150 bytes per metric event. Metrics data does not have a separate license. Ingesting metrics data draws from the same license quota as event data.
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around license violations.
Manage your licenses
Swap the license master
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.1.0, 7.1.1