9. What is the use of License Master in Splunk?

License master is responsible for making sure that right amount of data gets indexed.splunk license is based on the data volume that comes to the platform within 24hr window.

Eg: You get 300 GB data on day one, 500gb on second data and 1 terabyte data of on some day and suddenly it drops to 100gb on some day. Then ideally you should have 1 terabyte data licensing model. The license master thus makes sure that the indexers within the splunk deployment have sufficient capacity and licensing the right amount of data.

10. What happens if license master is unreachable?

In case it happens it is not possible to search the data. The data coming into the indexer will not be affected. The data will continue to flow into your splunk deployment, the indexer will continue to index the data as usual. You will get the warning message on top of search head or web UI saying that you exceeded the indexing volume.

11. Explain license violation from splunk perspective?

If you exceed the data limit it will show a license violation error. The license warning that is thrown up will persist for 14 days. In commercial license you can have 5 warnings within a 30day rolling window before which your indexer’s search results and reports stop triggering.