Splunk® Enterprise

Admin Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

About license violations

License violations occur when you exceed the maximum daily indexing volume allowed for your license. Daily indexing volume is measured from midnight to midnight by the clock on the license master.

If you exceed your licensed daily volume on any one calendar day, you get a license violation warning. For a Splunk Enterprise license, if you get five or more warnings in a rolling 30 day period, you are in violation of your license.

If you get a violation warning, you have until midnight, using the clock on the license master, to resolve the warning before it counts against the total number of violation warnings allowed within the rolling 30 day period.

What happens during a license violation?

During a license violation period:

  • Splunk software continues to index your data.
  • If you are using a pre-6.5 license, Splunk Enterprise blocks search while you are in license violation. This restriction includes scheduled reports and alerts. You can request a no-enforcement license to re-enable search. See Types of Splunk software licenses.
  • If you are using a 6.5 or later Splunk Enterprise license, search continues even while you are in license violation.
  • Searches to the internal indexes are never disabled. This means that you can use the monitoring console or run searches against the _internal index to diagnose the licensing problem.

What license warnings look like

If license slaves using a license pool exceed the license volume allocated to that pool, you will see a message in Messages in Splunk Web.

Clicking the link in the message takes you to Settings > Licensing, where the warning displays under the Alerts section of the page. Click the warning for details.

These are some of the conditions that generate a transient warning:

  • When a slave becomes an orphan
  • When a pool has maxed out
  • When a stack has maxed out

These conditions can be fixed before midnight on the license master's clock.

When a warning is given to one or more slaves, there is an alert. The alert remains as long as the warning is still valid for the last rolling 30 day period.

Violations due to problematical connections between license master and slaves

License slaves communicate their usage to the license master every minute. If a slave cannot reach the master for 72 hours or more, search is blocked on the slave, although indexing continues. Users cannot search data in the indexes on the slave until the slave recon ects with the master.

To find out if a license slave has been unable to reach the license master, look for an event that contains failed to transfer rows in splunkd.log or in the _internal index.

Avoid license violations

To avoid license violations, monitor your license usage and ensure that you have sufficient license volume to support it. If you do not have sufficient license volume, you need to either increase the size of your license or decrease your indexing volume.

You can enable an alert on the monitoring console to monitor license usage. See Platform alerts in Monitoring Splunk Enterprise.

You can use the license usage report view on the license master to troubleshoot index volume. See About the Splunk Enterprise license usage report view.

Correct license warnings

If you receive a message to correct a license warning before midnight, your have probably already exceeded your quota for the day. This is called a "soft warning." The daily license quota resets at midnight, at which point the soft warning becomes a "hard warning".

You have until midnight to fix the situation causing the license warning. You can also take steps to avoid going over the quota the next day.

Once data is indexed, there is no way to un-index data to reduce volume on the license. Instead, you need to get additional license volume in one of these ways:

  • Purchase a larger license.
  • Reconfigure your license pools, if you have a pool with extra license volume.

If you cannot perform either of these actions, prevent a warning tomorrow by reducing indexing volume. Use the license usage report view to learn which data sources are contributing the most to your quota. Once you identify a culprit, decide whether you can filter out some of its incoming data. See Route and filter data in the Forwarding Data manual.

Last modified on 06 February, 2020
PREVIOUS
Manage licenses from the CLI
  NEXT
About the Splunk Enterprise license usage report view

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters