In Splunk, data getting indexed each day might exceed the allotted license quota. In such scenarios splunk license violation occurs. For example, consider a case where forwarder stops sending data for several days and all of a sudden it starts sending it. In such situation an avalanche of data starts flowing which violates the license. We get license warning message as shown below.
Let’s discuss more about license warnings and violations.
License warnings and violations:
- Warnings and violations occur when you exceed the maximum daily indexing volume allowed for your license.
- Daily indexing volume is measured from midnight to midnight by the clock on the license master.
- If you have 5 or more warnings on an enforced Enterprise license, or 3 warnings on a Free license, in a rolling 30-day period, you are in violation of your license.
What happens during a license violation?
- Splunk software does not stop indexing your data.
- If you are using a pre-6.5.0 license, Splunk software blocks search while you are in license violation. This restriction includes scheduled reports and alerts.
- If you are using a new no-enforcement license, search continues even while you are in license violation.
- Searches to the internal indexes are never disabled. This means that you can access the Monitoring Console or run searches against _internal to diagnose the licensing problem.
What can cause license warnings
- If indexers in a pool exceed the license volume allocated to that pool, you will see a message in Messages on any page in Splunk Web.
- The conditions that generate licensing alerts are:
o When a slave becomes an orphan.
o When a pool has maxed out.
o When a stack has maxed out.
o When a warning is given to one or more slaves.
License master and license slave connection:
- License slaves communicate to license master about their usage every minute.
- If license master is down or unreachable, license slave starts a 72 hour timer.
- If the license slave cannot reach the license master for 72 hours, search is blocked on the license slave.
- Users cannot search data in the indexes on the license slave until that slave can reach the license master again.
How to avoid license violations:
- To avoid license violations:
o Monitor license usage and ensure you have sufficient license volume.
o Enable license monitors usage alerts in distributed management console.
- License warning workaround:
If license warning is exceeded then, additional license can be added in following ways:
o Request a no-enforcement Enterprise license if your license master is running Splunk
Enterprise 6.5.0 or later.
Metrics license usage:
- Unlike event data, metrics data counts against a license at a fixed 150 bytes per metric event.
- Metrics data does not have a separate license, it uses same license quota.