Splunk® Enterprise

Admin Manual

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

About license violations

A license violation occurs after a series of license warnings. License warnings occur when you exceed the maximum daily indexing volume allowed for your license. If you have multiple license warnings, and have exceeded the license warning limit for your license, you will receive a license violation.

What is a license warning?

License warnings occur when you exceed the maximum daily indexing volume allowed for your license. Here are the conditions:

  • Your daily indexing volume is measured from midnight to midnight using the system clock on the license manager.
  • If you exceed your licensed daily volume in any single calendar day, you generate a license warning.
  • If you generate a license warning, you have until midnight on the license manager to resolve the warning before it counts against the total number of warnings allowed by your license. For guidance on what to do when a warning appears, see Correcting license warnings.

What do license warnings look like?

A license warning appears as an administrative message in Splunk Web. Clicking the link in the message takes you to the Licensing page, where the warning appears under Alerts.

These are some of the conditions that generate a license warning:

What happens during a license violation?

A license violation happens when you exceed the number of warnings allowed on your license. The license violation conditions are based upon the license type.

Here is what happens to indexing and search capability during a license violation:

  • For license stacks with a licensed volume of less than 100 GB per day, using search is blocked while you are in violation. This restriction includes scheduled reports and alerts.
  • Splunk Enterprise continues to index your data.
  • Searching the internal indexes is not blocked. You can use the monitoring console or run searches against the _internal index to diagnose the licensing problem.
  • If you're using a license manager, a message will appear in the Search app, and in Global Messages navigation bar on the search heads notifying all users that their license is invalid, or has expired.


Here is a table of license violation conditions by Splunk Enterprise license type:

License Violation conditions
Splunk Enterprise license For Splunk Enterprise license stacks with a licensed volume of 100 GB per day or higher, warnings are issued when the system exceeds its daily licensed capacity. Search is not disabled.
If you have a license stack with less than 100 GB of data per day of license volume, and you generate 45 license warnings in a rolling 60 day period, you are in violation of your license. If that license stack is split into multiple pools, search is disabled for a pool and its license pool member(s) after 45 warnings over a rolling 60-day window. Other pools and their members will remain searchable if the usage across the remaining license pools does not exceed their allocated license. To reenable search, request a reset license from Splunk Sales.
Splunk Enterprise infrastructure license An Enterprise license based on vCPU usage does not currently violate.
Splunk Enterprise Trial license If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.
Dev/Test license If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. To enable searching, request a reset license using the request form at Personalized Dev/Test Licenses for Splunk Customers.
Developer license If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. To enable searching, request a reset license by emailing devinfo at splunk.com.
Free license If you generate three or more warnings in a rolling 30-day period, you are in violation of your license. Splunk Enterprise continues to index your data, but you cannot search it. The warnings persist for 14 days. No reset license is available.

Violations due to broken connections between license manager and peers

A license peer transmits its license volume usage to the license manager every minute. If a license peer cannot communicate with the license manager for 72 hours or more, the peer is placed in violation, and search is blocked. A violation still allows indexing to continue. You cannot search a peer in violation until it is reconnected with the license manager.

To find out if a license peer is unable to reach the license manager, search for an error event in the _internal index or the license peer's splunkd.log:

index=_internal LMTracker error "failed to send rows" OR "unable to connect"

Avoiding license warnings

To avoid license warnings, monitor the license usage over time and ensure that you have sufficient license volume to support your daily license use:

  • Enable an alert on the monitoring console to monitor daily license usage. See Platform alerts in Monitoring Splunk Enterprise.

Correcting license warnings

If you receive a message to correct a license warning before midnight, you have already exceeded your license quota for the day. This warning is issued to make you aware of the license use and to provide you time to change or update your license configuration. The daily license volume quota resets at midnight on the license manager, and at that point the warning is recorded as a license warning. Most licenses allow for a limited number of warnings before a violation occurs.

Once data is indexed, you cannot change the volume recorded against your license. You can't un-index data. Instead, you need to gain additional license volume using one of these options:

  • If you have another license pool with extra license volume, reconfigure your pools and move license capacity where you need it.
  • Purchase more licenses and add them to the license stack and pool.

If you cannot use either of those options, you can analyze your indexing volume and make a change to reduce the data sources that are using more license than usual. To learn which data sources are contributing the most to your license quota, see the license usage report view.

Once you identify a data source that is using a lot of the licensed volume, you can determine how to manage the data to correct the license warnings:

  • Determine if this was a one-time data ingestion issue. For example, debug logging was enabled on the application logs to troubleshoot an issue, but the logging-level will be reset tomorrow.
  • Determine if this is a new average license usage based upon changes in the infrastructure. For example, a new application or server cluster came online, and the team didn't update you before ingesting their data.
  • Determine if you can filter and drop some of the incoming data. For examples of drop filters, see Route and filter data in the Forwarding Data manual.
Last modified on 03 October, 2024
Manage licenses from the CLI   About the Splunk Enterprise license usage report view

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters