Splunk® Enterprise

Admin Manual

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

About license violations

A license violation occurs after a series of license warnings. License warnings occur when you exceed the maximum daily indexing volume allowed for your license. If you have multiple license warnings and have exceeded the license warning limit for your license, you will get a license violation.

What is a license warning?

License warnings occur when you exceed the maximum daily indexing volume allowed for your license. Here are the conditions:

  • Your daily indexing volume is measured from midnight to midnight using the clock on the license master.
  • If you exceed your licensed daily volume on any one calendar day, you generate a license warning.
  • If you generate a license warning, you have until midnight on the license master to resolve the warning before it counts against the total number of warnings allowed by your license. For guidance on what to do when a warning appears, see Correct license warnings.

What do license warnings look like?

A license warning appears as an administrative message in Splunk Web. Clicking the link in the message takes you to the Licensing page, where the warning appears under Alerts.

These are some of the conditions that generate a license warning:

What happens during a license violation?

A license violation happens when you exceed the number of warnings allowed on your license. The license violation conditions are based upon the license type.

Here is what happens to indexing and search capability during a license violation:

  • Splunk Enterprise continues to index your data.
  • Using search is blocked while you are in violation. This restriction includes scheduled reports and alerts.
  • Searching the internal indexes is not blocked. You can use the monitoring console or run searches against the _internal index to diagnose the licensing problem.

Here is a table of license violation conditions by Splunk Enterprise license type:

License Violation conditions
Splunk Enterprise license An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.
If you have a license stack with less than 100 GB of data per day of license volume, and you generate 45 license warnings in a rolling 60 day period, you are in violation of your license. If that license stack is split into multiple pools, search is disabled for a pool and its license pool member(s) after 45 warnings over a rolling 60-day window. Other pools and their members will remain searchable if the usage across the remaining license pools does not exceed their allocated license. To reenable search, request a reset license from Splunk Sales.
Splunk Enterprise infrastructure license An Enterprise license based on vCPU usage does not currently violate.
Splunk Enterprise trial license If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.
Dev/Test license If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.
Free license If you generate three or more warnings in a rolling 30-day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.

Violations due to broken connections between license master and slaves

A license slave communicates their license volume usage to the license master every minute. If a license slave cannot reach the license master for 72 hours or more, the slave is in violation and search is blocked. A violation still allows indexing to continue. Users can not search the slave in violation until the it reconnects with the license master.

To find out if a license slave is unable to reach the license master, search for an error event in the _internal index or the license slave's splunkd.log:

index=_internal LMTracker error "failed to send rows" OR "unable to connect"

Avoiding license warnings

To avoid license warnings, monitor the license usage over time and ensure that you have sufficient license volume to support your daily license use:

  • Enable an alert on the monitoring console to monitor daily license usage. See Platform alerts in Monitoring Splunk Enterprise.

Correcting license warnings

If you receive a message to correct a license warning before midnight, you have already exceeded your license quota for the day. This warning is issued to make you aware of the license use and to provide you time to change or update your license configuration. The daily license volume quota resets at midnight on the license master, and at that point the warning is recored as a license warning. Most licenses allow for a limited number of warnings before a violation occurs.

Once data is indexed, you cannot change the volume recorded against your license. You can't un-index data. Instead, you need to gain additional license volume using one of these options:

  • If you have another license pool with extra license volume, reconfigure your pools and move license capacity where you need it.
  • Purchase more licenses and add them to the license stack and pool.

If you cannot use either of those options, you can analyze your indexing volume and make a change to reduce the data sources that are using more license than usual. To learn which data sources are contributing the most to your license quota, see the license usage report view.

Once you identify a data source that is using a lot of the licensed volume, you can determine how to manage the data to correct the license warnings:

  • Determine if this was a one-time data ingestion issue. For example, debug logging was enabled on the application logs to troubleshoot an issue, but the logging-level will be reset tomorrow.
  • Determine if this is a new average license usage based upon changes in the infrastructure. For example, a new application or server cluster came online, and the team didn't update you before ingesting their data.
  • Determine if you can filter and drop some of the incoming data. For examples of drop filters, see Route and filter data in the Forwarding Data manual.
Last modified on 08 October, 2020
PREVIOUS
Manage licenses from the CLI
  NEXT
About the Splunk Enterprise license usage report view

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters