Splunk® Enterprise

Admin Manual

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

About license violations

License warnings occur when you exceed the maximum daily indexing volume allowed for your license. If you have multiple license warnings and have exceeded the license warning limit for your license, you will get a license violation.

What is a license warning?

License warnings occur when you exceed the maximum daily indexing volume allowed for your license:

  • Your daily indexing volume is measured from midnight to midnight using the clock on the license master.
  • If you exceed your licensed daily volume on any one calendar day, you get a license warning.
  • If you get a license warning, you have until midnight on the license master to resolve the warning before it counts against the total number of warnings allowed by your license. See Correct license warnings.

What do license warnings look like?

A license warning appears as an administrative message in Splunk Web. Clicking the link in the message takes you to Settings > Licensing page, where the warning is displayed under Alerts. Click the warning for details.

These are some of the conditions that generate a license warning:

What happens during a license violation?

A license violation happens when you exceed the number of warnings allowed on your license. The license violation conditions are based upon the license type.

During a license violation period:

  • Splunk Enterprise continues to index your data.
  • Using search is blocked while you are in violation. This restriction includes scheduled reports and alerts.
  • Searching the internal indexes is not blocked. You can use the monitoring console or run searches against the _internal index to diagnose the licensing problem.
License Violation conditions
Enterprise license An Enterprise license stack does not violate.
Enterprise Trial license If you get five or more warnings in a rolling 30 day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.
Dev/Test license If you get five or more warnings in a rolling 30 day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.
Free license If you get three or more warnings in a rolling 30 day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.


Violations due to broken connections between license master and slaves

A license slave communicates their license volume usage to the license master every minute. If a license slave cannot reach the license master for 72 hours or more, the slave is in violation and search is blocked. A violation still allows indexing to continue. Users can not search the slave in violation until the slave reconnects with the master.

To find out if a license slave is unable to reach the license master, search for an error event in the _internal index or the license slave's splunkd.log. For example,

index=_internal LMTracker error "failed to send rows" OR "unable to connect"

Avoiding license warnings

To avoid license warnings, monitor the license usage over time and ensure that you have sufficient license volume to support your daily license use:

  • Enable an alert on the monitoring console to monitor daily license usage. See Platform alerts in Monitoring Splunk Enterprise.


Correcting license warnings

If you receive a message to correct a license warning before midnight, your have probably already exceeded your license quota for the day. This is a "soft warning" issued to make you aware of the license use, and provide time to change or update your license configuration. The daily license volume quota will reset at midnight on the license master, and at that point the soft warning is recorded as a license warning. Most licenses allow for a limited number of warnings before a violation occurs.

Once data is indexed, you cannot un-index data to change the volume recorded against your license. Instead, you need to gain additional license volume using one of these options:

  • If you have another license pool with extra license volume, reconfigure your pools and move license capacity where you need it.
  • Purchase more license and add it to the license stack and pool.

If you cannot use either of those options, you can still prevent a warning tomorrow by analyzing your indexing volume to determine what sources are using more license than usual. To learn which data sources are contributing the most to your license quota, see the license usage report view. Once you identify a data source that is using more license:

  • Determine if this was a one-time data ingestion issue. For example, debug logging was enabled on the application logs to troubleshoot an issue, but the logging-level will be reset tomorrow.
  • Determine if this is a new average license usage based upon changes in the infrastructure. For example, a new application or server cluster came online and the team didn't update you before ingesting their data.
  • Determine if you can filter and drop some of the incoming data. See Route and filter data in the Forwarding Data manual.
Last modified on 02 December, 2021
Manage licenses from the CLI   About the Splunk Enterprise license usage report view

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters