Splunk® Enterprise

Admin Manual

Download manual as PDF

Download topic as PDF

Share performance data

You can opt in to automatically share certain data about your license usage and deployment performance with Splunk Inc ("Splunk"). Splunk uses this data to make decisions about future product development.

Splunk apps and add-ons

In addition to the data enumerated in this topic, certain apps or add-ons might collect usage data. See the documentation for your app or add-on for details. The following apps collect additional data. Check back for updates.

Opt in or out of sharing usage data

You can choose to send both, either, or neither of two types of usage data:

  • License usage data describing your active licenses and the amount of data you index.
  • Anonymized usage data about your deployment performance and usage, including session data.


The first time you run Splunk Web on a search head as an admin or equivalent, you are presented with a modal. The options on the modal are as follows:

  • Click Skip to suppress the modal permanently for the user who clicks Skip. Use this option to defer the decision to a different admin.
  • Click OK to confirm your choice and suppress the modal permanently for all users.

Neither category of usage data is sent unless you click OK with one or both boxes checked. You can opt in or out at any time by navigating to Settings > Instrumentation.

If you opt out, the searches that gather the data on your system do not run, and no usage data is sent.

The ability to enable or disable instrumentation is controlled by the edit_telemetry_settings capability.

See Update checker data below for information about a smaller category of data controlled separately.

What usage data is collected

For license usage data and the anonymized usage data that is not session data, you can view what data has been sent in Splunk Web.

  1. Navigate to Settings > Instrumentation.
  2. Under the relevant data category ("Anonymized usage data" or "License usage data"), click View Log.
  3. Click View Selected Data.

This log of data is available only after the first run of the collection (see Feature footprint). To inspect the type of data that gets sent before opting in on your production environment, you can opt in on your sandbox environment.

To view the remaining anonymized usage data, the session data, use Javascript logging in your browser. Look for network events sent to a URL containing splkmobile. Events are triggered by actions such as navigating to a new page in Splunk Web.

See Update checker data below for information about a smaller category of data controlled separately.

The following tables describe the data collected if you opt in to both usage data programs and do not turn off update checker. The usage data is in JSON format tagged with a field named "component."

New for Splunk Enterprise 6.6.0

The following pieces of data are collected starting with Splunk Enterprise version 6.6.0 but not 6.5.x. For descriptions and examples, see the tables that follow.

  • Start of user session:
    • Deployment ID
    • Event ID
    • Experience ID
    • Hashed user ID
    • Splunk instance GUID for the instance generating session data
  • Page views
  • Dashboard performance
  • Pivot usage
  • Performance metrics for the searches that collect usage data


Upon upgrade, you are presented with an opt-in modal advising you of additional data collection. No anonymized usage data is collected (including the fields collected pre-6.6.0) until you confirm your selection, either in the opt-in modal or in Settings > Instrumentation.

Types of data collected by Splunk Enterprise

Splunk Enterprise collects the following types of data:


Note that additional data might be collected by certain apps or add-ons. See app or add-on documentation for details.

Anonymized usage data

Description Component(s) Note
Active license group and subgroup, total license stack quota, license pool quota, license pool consumption, total license consumption, license stack type licensing.stack
License IDs licensing.stack Sent for both reporting types, but persisted only for users opting in to license usage reporting.
Number of nodes in indexer cluster, replication factor and search factor for indexer cluster deployment.clustering.indexer
GUID, host, number of cores by type (virtual/physical), CPU architecture, memory size, storage (partition) capacity, OS/version, Splunk version deployment.node For each indexer or search head
Number of hosts, number of Splunk software instances, OS/version, CPU architecture, Splunk software version, distribution of forwarding volume deployment.forwarders For forwarders
Core utilization, storage utilization, memory usage, indexing throughput, search latency deployment.node performance.indexing performance.search
Indexing volume, number of events, number of hosts, source type name usage.indexing.sourcetype
Number of active users usage.users.active
Number of searches of each type, distribution of concurrent searches usage.search.type usage.search.concurrent
App name, page name, locale, number of users, number of page loads usage.app.page Session data.
deploymentID = identifier for deployment, eventID = identifier for this specific event, experienceID = identifier for this session, userID = hashed username, data.guid = guid for Splunk Enterprise instance serving page app.session.session_start Session data. Triggered when user is first authenticated.
Page views app.session.pageview Session data. Triggered when user visits a new page.
Dashboard characteristics app.session.dashboard.pageview Session data. Triggered when a dashboard is loaded.
Pivot characteristics. app.session.pivot.load Session data. Triggered when a pivot is loaded.
Pivot changes app.session.pivot.interact Session data. Triggered when a change is made to a pivot.
Search page interaction. app.session.search.interact Session data. Triggered with interaction with search page.

License usage data

Description Component(s) Note
Active license group and subgroup, total license stack quota, total license pool consumption, license stack type, license pool quota, license pool consumption licensing.stack
License IDs licensing.stack Sent for both reporting types, but persisted only for users opting in to license usage reporting.

Update checker data

Update checker data is sent by your browser soon after you log into Splunk software. The data is sent to Splunk. Splunk uses the data to understand the number of customers using older versions of software, and your Splunk software instance uses the data to display a message in Splunk Web when a new version is available.

To view the data that is sent, watch Javascript network traffic as you log into Splunk Web. The data is sent inside a call to quickdraw.splunk.com.

You can turn off update checker data reporting in web.conf, by setting the updateCheckerBaseURL attribute to 0. See About configuration files.

Description Example
CPU architecture x86_64
Operating system Linux
Product enterprise
Splunk roles admin
License group, subgroup, and GUID Enterprise, Production, <GUID>
Splunk software version 6.6.0

Data samples

Anonymized usage data

Click Expand to view examples of the data that is collected.

Component Data category Example
deployment.clustering.indexer Clustering configuration
{
    "host": "docteam-unix-5",
    "summaryReplication": true,
    "siteReplicationFactor": null,
    "enabled": true,
    "multiSite": false,
    "searchFactor": 2,
    "siteSearchFactor": null,
    "timezone": "-0700",
    "replicationFactor": 3
}
deployment.forwarders Forwarder architecture, forwarding volume
{
    "hosts": 168,
    "instances": 497,
    "architecture": "x86_64",
    "os": "Linux",
    "splunkVersion": "6.5.0",
    "type": "uf",
    "bytes": {
        "min": 389,
        "max": 2291497,
        "total": 189124803,
        "p10": 40960,
        "p20": 139264,
        "p30": 216064,
        "p40": 269312,
        "p50": 318157,
        "p60": 345088,
        "p70": 393216,
        "p80": 489472,
        "p90": 781312
    }
}
deployment.node Host architecture, utilization
{  
    "guid": "123309CB-ABCD-4BB9-9B6A-185316600F23",
    "host": "docteam-unix-3",
    "os": "Linux",
    "osExt": "Linux",
    "osVersion": "3.10.0-123.el7.x86_64",
    "splunkVersion": "6.5.0",
    "cpu": {  
        "coreCount": 2,
        "utilization": {  
            "min": 0.01,
            "p10": 0.01,
            "p20": 0.01,
            "p30": 0.01,
            "p40": 0.01,
            "p50": 0.02,
            "p60": 0.02,
            "p70": 0.03,
            "p80": 0.03,
            "p90": 0.05,
            "max": 0.44
        },
        "virtualCoreCount": 2,
        "architecture": "x86_64"
    },
    "memory": {  
        "utilization": {  
            "min": 0.26,
            "max": 0.34,
            "p10": 0.27,
            "p20": 0.28,
            "p30": 0.28,
            "p40": 0.28,
            "p50": 0.29,
            "p60": 0.29,
            "p70": 0.29,
            "p80": 0.3,
            "p90": 0.31
        },
        "capacity": 3977003401
    },
    "disk": {  
        "fileSystem": "xfs",
        "capacity": 124014034944,
        "utilization": 0.12
    }
}
licensing.stack Licensing quota and consumption
{
    "type": "download-trial",
    "guid": "4F735357-F278-4AD2-BBAB-139A85A75DBB",
    "product": "enterprise",
    "name": "download-trial",
    "licenseIDs": [
        "553A0D4F-3B7B-4AD5-B241-89B94386A07F"
    ],
    "quota": 524288000,
    "pools": [
        {
            "quota": 524288000,
            "consumption": 304049405
        }
    ],
    "consumption": 304049405,
    "subgroup": "Production",
    "host": "docteam-unix-9"
}
performance.indexing Indexing throughput and volume
{
    "host": "docteam-unix-5",
    "thruput": {
        "min": 412,
        "max": 9225,
        "total": 42980219,    
        "p10": 413,
        "p20": 413,
        "p30": 431,
        "p40": 450,
        "p50": 474,
        "p60": 488,
        "p70": 488,
        "p80": 488,
        "p90": 518
    }
}
performance.search Search runtime statistics
{
    "latency": {
        "min": 0.01,
        "max": 1.33,
        "p10": 0.02,
        "p20": 0.02,
        "p30": 0.05,
        "p40": 0.16,
        "p50": 0.17,
        "p60": 0.2,
        "p70": 0.26,        
        "p80": 0.34,
        "p90": 0.8
    }
}
app.session.dashboard.pageview
app.session.pivot.interact
app.session.pivot.load
app.session.search.interact
app.session.pageview
{
    "component": "app.session.pageview",
    "timestamp": 1490252394,
    "visibility": "anonymous",
    "experienceID": "0afeff4c-da15-58ba-e826-c3e89009074d",
    "userID": "bba2504e427e0eebcee94192aeeb124eb9ae83fc",
    "version": "2",
    "eventID": "c918b567-6dbf-c68f-f3bd-39650fcb0e69",
    "data": {
        "app": "launcher",
        "page": "home"
    },
    "deploymentID": "SPLUNKQA-7efb1644-e209-4afb-90ea-d7cddf77c617"
}
app.session.session_start
{
    "component": "app.session.session_start",
    "timestamp": 1490252394,
    "visibility": "anonymous",
    "experienceID": "0efeff4c-da15-50ba-e826-c3e89109074d",
    "userID": "bba2504e427e0eebcee94192aweb124eb9ae83fc",
    "version": "2",
    "eventID": "cd5634e1-19c3-e088-53v5-7ee328608a4c",
    "data": {
        "app": "launcher",
        "splunkVersion": "6.6.0",
        "os": "Ubuntu",
        "browser": "Firefox",
        "browserVersion": "38.0",
        "locale": "en-US",
        "device": "Linux x86_64",
        "osVersion": "not available",
        "page": "home",
        "guid": "2550FC44-64E5-43P5-AS44-6ABD84C91E42"
    },
    "deploymentID": "SPLUNKQA-7efb1644-q209-4afb-90ea-d7cddf07c617"
}
usage.app.page App page users and views
{
    "app": "search",
    "locale": "en-US",
    "occurrences": 1,
    "page": "datasets",
    "users": 1
}
usage.indexing.sourcetype Indexing by source type
{
    "name": "vendor_sales",
    "bytes": 2026348,
    "events": 30245,
    "hosts:" 1
}
usage.search.concurrent Search concurrency
{
    "host": "docteam-unix-5"
    "searches": {
        "min": 1,
        "max": 11,
        "p10": 1,
        "p20": 1,
        "p30": 1,
        "p40": 1,
        "p50": 1,
        "p60": 1,
        "p70": 1,
        "p80": 2,
        "p90": 3
    }
}
usage.search.type Searches by type
{
    "ad-hoc": 1428,
    "scheduled": 225
}
usage.users.active Active users
{
    "active": 23
}

License usage data

Click Expand to view examples of the data that is collected.

Component Data category Example
licensing.stack Licensing quota and consumption
{
    "type": "download-trial",
    "guid": "4F735357-F278-4AD2-BBAB-139A85A75DBB",
    "product": "enterprise",
    "name": "download-trial",
    "licenseIDs": [
        "553A0D4F-3B7B-4AD5-B241-89B94386A07F"
    ],
    "quota": 524288000,
    "pools": [
        {
            "quota": 524288000,
            "consumption": 304049405
        }
    ],
    "consumption": 304049405,
    "subgroup": "Production",
    "host": "docteam-unix-9"
}

Update checker data

Click Expand to view examples of the data that is collected.

Data category Example
CPU architecture x86_64
Operating system Linux
Product enterprise
Splunk roles admin
License group, subgroup, and GUID Enterprise, Production, <GUID>
Splunk software version 6.6.0

What data is not collected

The following kinds of data are not collected:

  • Unhashed usernames or passwords.
  • Indexed data that you ingest into your Splunk platform instance.

How usage data is handled

When you enable instrumentation, usage data is transported directly to Splunk through its MINT infrastructure. Data received is securely stored within on-premises servers at Splunk with restricted access.

Anonymized usage data is aggregated, and is used by Splunk to analyze usage patterns so that Splunk can improve its products and benefit customers. License IDs collected are used only to verify that data is received from a valid Splunk product and persisted only for users opting into license usage reporting. These license IDs help Splunk analyze how different Splunk products are being deployed across the population of users and are not attached to any anonymized usage data.

See the Splunk Privacy Policy for more information.

Why send license usage data

Certain license programs require that you report your license usage. The easiest way to do this is to opt in to automatically send this information to Splunk.

If you do not enable automatic license data sharing, you can send this data manually. To send usage data manually:

  1. On a search head, log into Splunk Web.
  2. Select Settings > Instrumentation.
  3. Click Export & Send.
  4. Select a date range.
  5. Click Send or Export to send data to Splunk or export data to your local machine.

Feature footprint

Anonymized usage and license usage data is summarized and sent once per day, starting at 3:05 a.m.

Session data and update checker data is sent from your browser as the events are generated. The performance implications are negligible.

About searches

If you opt in to anonymized usage and license usage data reporting, one instance in your Splunk Enterprise deployment collects data through ad hoc searches. All searches run in sequence, starting at 3:05 a.m. on the node that runs the searches. All searches are triggered with a scripted input. See Configure the priority of scheduled reports.

Which node runs the searches

Only one node in your deployment runs the searches to collect the usage data. Which instance that is depends on the details of your deployment:

  • If indexer clustering is enabled, the searches run on the cluster master.
  • If search head clustering is enabled but not indexer clustering, the searches run on the search head captain.
  • If your deployment does not use clustering, the searches run on a search head.

About internal log files

If you enable license usage reporting, the first time product instrumentation runs, it creates a new file in $SPLUNK_HOME/var/log/splunk. The file is called license_usage_summary.log and is limited in size to 25 MB. The file is indexed to a new internal index, _telemetry. The _telemetry index is retained for two years by default and is limited in size to 256 MB.

After the searches run, the data is packaged and sent to Splunk, Inc.

The app resides in the file system at $SPLUNK_HOME/etc/apps/splunk_instrumentation.

PREVIOUS
Secure your configuration
  NEXT
How Splunk Enterprise licensing works

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters