Splunk® Enterprise

Admin Manual

Download manual as PDF

Download topic as PDF

About license violations

This topic discusses license violations, how they occur, and how to resolve them.

What are license violations and warnings?

Warnings and violations occur when you exceed the maximum daily indexing volume allowed for your license. Daily indexing volume is measured from midnight to midnight by the clock on the license master.

If you exceed your licensed daily volume on any one calendar day, you get a violation warning. For a Splunk Enterprise license, if you get five or more warnings in a rolling 30 day period, you are in violation of your license.

If you are using a pre-6.5 Splunk Enterprise license and have not applied a no-enforcement license, a license violation disables search for the offending license pools. Other pools remain searchable, as long as the total license usage from all pools is less than the total license quota for the license master. Search capabilities return when you have fewer than five warnings in the previous 30 days, or when you apply a temporary reset license. To obtain a reset license, contact your sales representative.

Starting with 6.5, Splunk Enterprise uses no-enforcement licenses. A no-enforcement license warns you when you exceed your license quota or are in license violation, but it does not disable search.

If you get a license warning, you have until midnight, using the clock on the license master, to resolve the warning before it counts against the total number of warnings allowed within the rolling 30 day period.

What happens during a license violation?

During a license violation period:

  • Splunk software continues to index your data.
  • If you are using a pre-6.5 license, Splunk Enterprise blocks search while you are in license violation. This restriction includes scheduled reports and alerts. You can request a no-enforcement license to re-enable search. See Types of Splunk software licenses.
  • If you are using a 6.5 or later Splunk Enterprise license, search continues even while you are in license violation.
  • Searches to the internal indexes are never disabled. This means that you can use the monitoring console or run searches against the _internal index to diagnose the licensing problem.

What license warnings look like

If license slaves using a license pool exceed the license volume allocated to that pool, you will see a message in Messages on any page in Splunk Web.

Clicking the link in the message takes you to Settings > Licensing, where the warning displays under the Alerts section of the page. Click a warning to get more information about it.

Here are some of the conditions that generate a licensing alert:

  • When a slave becomes an orphan, there is an alert (transient and fixable before midnight).
  • When a pool has maxed out, there is an alert (transient and fixable before midnight).
  • When a stack has maxed out, there is an alert (transient and fixable before midnight).
  • When a warning is given to one or more slaves, there is an alert. The alert remains as long as the warning is still valid for the last rolling 30 day period.

About the connection between the license master and license slaves

When you configure a license master instance and add license slaves to it, the license slaves communicate their usage to the license master every minute. If the license master is down or unreachable for any reason, the license slave starts a 72 hour timer. If the license slave cannot reach the license master for 72 hours, search is blocked on the license slave although indexing continues. Users cannot search data in the indexes on the license slave until that slave can reach the license master again.

To find out if a license slave has been unable to reach the license master, look for an event that contains failed to transfer rows in splunkd.log or search for it in the _internal index.

Avoid license violations

To avoid license violations, monitor your license usage and ensure you have sufficient license volume to support it. If you do not have sufficient license volume, you need to either increase your license or decrease your indexing volume.

On the monitoring console, you can enable an alert to monitor license usage. See Platform alerts in Monitoring Splunk Enterprise.

Use the License Usage report to see details about and troubleshoot index volume in your deployment. Read about the license usage report view in the next chapter.

Correcting license warnings

If you receive a message to correct your license warning before midnight, your have probably already exceeded your quota for the day. This is called a "soft warning." The daily license quota resets at midnight, at which point the soft warning becomes a "hard warning". You have until then to fix the situation. You can also take steps to avoid going over the quota the next day too.

Once data is already indexed, there is no way to un-index data to reduce volume on your license. Instead, you need to get additional license room in one of these ways:

  • Purchase a larger license.
  • Rearrange your license pools, if you have a pool with extra license volume.

If you cannot perform either of these actions, prevent a warning tomorrow by reducing indexing volume. Use the License Usage Report View to learn which data sources are contributing the most to your quota. Once you identify a culprit, decide whether you can filter out some of its incoming data. See Route and filter data in the Forwarding Data manual.

Manage licenses from the CLI
About the Splunk Enterprise license usage report view

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters