About license violations
License warnings occur when you exceed the maximum daily indexing volume allowed for your license. If you have multiple license warnings and have exceeded the license warning limit for your license, you will get a license violation.
What is a license warning?
License warnings occur when you exceed the maximum daily indexing volume allowed for your license:
- Your daily indexing volume is measured from midnight to midnight using the clock on the license master.
- If you exceed your licensed daily volume on any one calendar day, you get a license warning.
- If you get a license warning, you have until midnight on the license master to resolve the warning before it counts against the total number of warnings allowed by your license. See Correct license warnings.
What do license warnings look like?
A license warning appears as an administrative message in Splunk Web. Clicking the link in the message takes you to Settings > Licensing page, where the warning is displayed under Alerts. Click the warning for details.
These are some of the conditions that generate a license warning:
- When a license pool has reached its daily license volume limit.
- When a license stack has reached its daily license volume limit.
- When a license slave is unable to communicate with the license master. See Violations due to broken connections between license master and slaves.
What happens during a license violation?
A license violation happens when you exceed the number of warnings allowed on your license. The license violation conditions are based upon the license type.
During a license violation period:
- Splunk Enterprise continues to index your data.
- Using search is blocked while you are in violation. This restriction includes scheduled reports and alerts.
- Searching the internal indexes is not blocked. You can use the monitoring console or run searches against the
_internalindex to diagnose the licensing problem.
|Enterprise license||An Enterprise license stack does not violate.|
|Enterprise Trial license||If you get five or more warnings in a rolling 30 day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.|
|Dev/Test license||If you get five or more warnings in a rolling 30 day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.|
|Free license||If you get three or more warnings in a rolling 30 day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.|
Violations due to broken connections between license master and slaves
A license slave communicates their license volume usage to the license master every minute. If a license slave cannot reach the license master for 72 hours or more, the slave is in violation and search is blocked. A violation still allows indexing to continue. Users can not search the slave in violation until the slave reconnects with the master.
To find out if a license slave is unable to reach the license master, search for an error event in the
_internal index or the license slave's splunkd.log. For example,
index=_internal LMTracker error "failed to send rows" OR "unable to connect"
Avoiding license warnings
To avoid license warnings, monitor the license usage over time and ensure that you have sufficient license volume to support your daily license use:
- Use the license usage report view on the license master to troubleshoot index volume. See About the Splunk Enterprise license usage report view.
- Enable an alert on the monitoring console to monitor daily license usage. See Platform alerts in Monitoring Splunk Enterprise.
Correcting license warnings
If you receive a message to correct a license warning before midnight, your have probably already exceeded your license quota for the day. This is a "soft warning" issued to make you aware of the license use, and provide time to change or update your license configuration. The daily license volume quota will reset at midnight on the license master, and at that point the soft warning is recorded as a license warning. Most licenses allow for a limited number of warnings before a violation occurs.
Once data is indexed, you cannot un-index data to change the volume recorded against your license. Instead, you need to gain additional license volume using one of these options:
- If you have another license pool with extra license volume, reconfigure your pools and move license capacity where you need it.
- Purchase more license and add it to the license stack and pool.
If you cannot use either of those options, you can still prevent a warning tomorrow by analyzing your indexing volume to determine what sources are using more license than usual. To learn which data sources are contributing the most to your license quota, see the license usage report view. Once you identify a data source that is using more license:
- Determine if this was a one-time data ingestion issue. For example, debug logging was enabled on the application logs to troubleshoot an issue, but the logging-level will be reset tomorrow.
- Determine if this is a new average license usage based upon changes in the infrastructure. For example, a new application or server cluster came online and the team didn't update you before ingesting their data.
- Determine if you can filter and drop some of the incoming data. See Route and filter data in the Forwarding Data manual.
Manage licenses from the CLI
About the Splunk Enterprise license usage report view
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2
Feedback submitted, thanks!