About license violations
This topic discusses license violations, how they come about, and how to resolve them. Before you proceed, you may want to review these topics:
- Read "How Splunk licensing works" in this manual for an introduction to Splunk licensing.
- Read "Groups, stacks, pools, and other terminology" in this manual for more information about Splunk license terms.
What are license violations and warnings?
Warnings and violations occur when you exceed the maximum indexing volume allowed for your license.
If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license and search will be disabled for the offending pool(s). Other pools will remain searchable and be unaffected, as long as the total license usage from all pools does not exceed the total license quota for the license master.
Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply a temporary reset license (available for Enterprise only). To obtain a reset license, contact your sales rep. See the Installation Manual for instructions on how to apply it.
Note: Summary indexing volume is not counted against your license, although in the event of a license violation, summary indexing will halt like any other non-internal search behavior.
If you get a violation warning, you have until midnight (going by the time on the license master) to resolve it before it counts against the total number of warnings within the rolling 30-day period.
During a license violation period:
- Splunk does not stop indexing your data. Splunk only blocks search while you exceed your license.
- Searches to the
_internalindex are not disabled. This means that you can still access the Indexing Status dashboard or run searches against
_internalto diagnose the licensing problem.
What license warnings look like
If indexers in a pool exceed the license volume allocated to that pool, you will see a yellow warning banner across the top of Splunk Web:
Clicking on the link in the banner takes you to Manager > Licensing, where the warning shows up under the Alerts section of the page. Click on a warning to get more information about it.
A similar banner is shown on license slaves when a violation has occurred.
Here are some of the conditions that will generate a licensing alert:
- When a slave becomes an orphan, there will be an alert (transient and fixable before midnight)
- When a pool has maxed out, there will be an alert (transient and fixable before midnight)
- When a stack has maxed out, there will be an alert (transient and fixable before midnight)
- When a warning is given to one or more slaves, there will be an alert (will stay as long as the warning is still valid within that last 30-day period)
About the connection between the license master and license slaves
When a license master instance is configured, and license slaves are added to it, the license slaves communicate their usage to the license master every minute. If the license master is unreachable for any reason, the license slave starts a 24-hour timer. If the license slave cannot reach the license master for 24 hours, search is blocked on the license slave (although indexing continues). Users will not be able to search data in the indexes on the license slave until that slave can reach the license master again.
To find out if a license slave has been unable to reach the license master, look for an event that contains
failed to transfer rows in splunkd.log or search for it in the _internal index.
How to avoid license violations
To avoid license violations, monitor your license usage and ensure you have sufficient license volume to support it. If you do not have sufficient license volume, you need to either increase your license or decrease your indexing volume.
Here are some options for monitoring license usage:
- Use the Splunk on Splunk app to see how licensing capacity is used in your deployment.
- Navigate to Manager > Licensing to view details about your license, including your license warnings and violations.
- Use the "Indexing volume" status dashboard in the Search app to see details about index volume in your infrastructure. Note that the overview includes internal indexing, which does not count against your license.
Access the Indexing volume status dashboard
To see the "Indexing volume" dashboard:
1. Log into Splunk Web and navigate to the Search app.
2. Click Status > Index activity > Indexing volume.
3. Choose a server, "split-by" option (to see indexing volume by source, source type, index, or host), and a time range. The dashboard will reload automatically and update your results.
4. To drill down into more detail, click on a row in the list. From there, you can view the events on a timeline. To view the events themselves, click on a bar in the timeline:
Correcting license warnings
If Splunk is telling you to correct your license warning before midnight, you've probably already exceeded your quota for the day. The license quota will reset at midnight, so you have until then to fix your situation and ensure that you won't go over quota tomorrow, too.
Once you've already indexed data, there is no way to un-index data that will give you "wiggle room" back on your license. You need to do one or more of the following:
- Get additional license room, either by purchasing a bigger license or by rearranging license pools if you have a pool with extra license room.
- Use less of the license.
Take a look at this Community Wiki topic to learn which data sources are contributing the most to your quota.
Once you've determined your data culprit, decide whether or not you need all the data it is emitting. If not, read "route and filter data" in the Deploying Splunk Manual.
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around license violations.
Swap the license master
About Splunk Free
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18