About license violations
License violations occur when you exceed the maximum daily indexing volume allowed for your license. Daily indexing volume is measured from midnight to midnight by the clock on the license master.
If you exceed your licensed daily volume on any one calendar day, you get a license violation warning. For a Splunk Enterprise license, if you get five or more warnings in a rolling 30 day period, you are in violation of your license.
If you get a violation warning, you have until midnight, using the clock on the license master, to resolve the warning before it counts against the total number of violation warnings allowed within the rolling 30 day period.
What happens during a license violation?
During a license violation period:
- Splunk software continues to index your data.
- If you are using a pre-6.5 license, Splunk Enterprise blocks search while you are in license violation. This restriction includes scheduled reports and alerts. You can request a no-enforcement license to re-enable search. See Types of Splunk software licenses.
- If you are using a 6.5 or later Splunk Enterprise license, search continues even while you are in license violation.
- Searches to the internal indexes are never disabled. This means that you can use the monitoring console or run searches against the
_internalindex to diagnose the licensing problem.
What license warnings look like
If license slaves using a license pool exceed the license volume allocated to that pool, you will see a message in Messages in Splunk Web.
Clicking the link in the message takes you to Settings > Licensing, where the warning displays under the Alerts section of the page. Click the warning for details.
These are some of the conditions that generate a transient warning:
- When a slave becomes an orphan
- When a pool has maxed out
- When a stack has maxed out
These conditions can be fixed before midnight on the license master's clock.
When a warning is given to one or more slaves, there is an alert. The alert remains as long as the warning is still valid for the last rolling 30 day period.
Violations due to problematical connections between license master and slaves
License slaves communicate their usage to the license master every minute. If a slave cannot reach the master for 72 hours or more, search is blocked on the slave, although indexing continues. Users cannot search data in the indexes on the slave until the slave recon ects with the master.
To find out if a license slave has been unable to reach the license master, look for an event that contains
failed to transfer rows in
splunkd.log or in the
Avoid license violations
To avoid license violations, monitor your license usage and ensure that you have sufficient license volume to support it. If you do not have sufficient license volume, you need to either increase the size of your license or decrease your indexing volume.
You can enable an alert on the monitoring console to monitor license usage. See Platform alerts in Monitoring Splunk Enterprise.
You can use the license usage report view on the license master to troubleshoot index volume. See About the Splunk Enterprise license usage report view.
Correct license warnings
If you receive a message to correct a license warning before midnight, your have probably already exceeded your quota for the day. This is called a "soft warning." The daily license quota resets at midnight, at which point the soft warning becomes a "hard warning".
You have until midnight to fix the situation causing the license warning. You can also take steps to avoid going over the quota the next day.
Once data is indexed, there is no way to un-index data to reduce volume on the license. Instead, you need to get additional license volume in one of these ways:
- Purchase a larger license.
- Reconfigure your license pools, if you have a pool with extra license volume.
If you cannot perform either of these actions, prevent a warning tomorrow by reducing indexing volume. Use the license usage report view to learn which data sources are contributing the most to your quota. Once you identify a culprit, decide whether you can filter out some of its incoming data. See Route and filter data in the Forwarding Data manual.
Manage licenses from the CLI
About the Splunk Enterprise license usage report view
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6