Splunk® Enterprise

Admin Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About the Splunk Enterprise license usage report view

The license usage report view (LURV) on your deployment's license master is consolidated resource for questions related to your Splunk license capacity and indexed volume. Directly from the Splunk Licensing page, you can see your daily indexing volume, any license warnings, and a view of the last 30 days of your license usage with multiple reporting options.

LURV displays detailed license usage information for your license pool. The dashboard is logically divided into two parts: one displays information about today's license usage, and any warning information in the current rolling window; the other shows historic license usage during the past 30 days.

For every panel in LURV, you can click "Open in search" at the bottom left of the panel to interact with the search.

Access the license usage report view

Find LURV in Settings > Licensing > Usage report on your deployment's license master. (If your deployment is only one instance, your instance is its own license master.)

AccessLURV.png

Today tab

When you first arrive at LURV, you'll see five panels under the "Today" tab. These panels show the status of license usage and the warnings for the day that hasn't yet finished. The licenser's day ends at midnight in whichever time zone the license master is set to.

All the panels in the "Today" tab query the Splunk REST API.

Today's license usage panel

This panel gauges license usage for today, as well as the total daily license quota across all pools.

Today's license usage per pool panel

This panel shows the license usage for each pool as well as the daily license quota for each pool.

Today's percentage of daily license quota used per pool panel

This panel shows what percentage of the daily license quota has been indexed by each pool. The percentage is displayed on a logarithmic scale.

Pool usage warnings panel

This panel shows the warnings, both soft and hard, that each pool has received in the past 30 days (or since the last license reset key was applied). Read "About license violations" in this manual to learn more about soft and hard warnings, and license violations.

Slave usage warnings panel

For each license slave, this panel shows: the number of warnings, pool membership, and whether the slave is in violation.

Previous 30 Days tab

Clicking on the "Previous 30 Days" tab reveals five more panels and several drop-down options.

All visualizations in these panels limit the number of host, source, source type, index, pool (any field you split by) that are plotted. If you have more than 10 distinct values for any of these fields, the values after the 10th are labeled "Other." We've set the maximum number of values plotted to 10 using timechart. We hope this gives you enough information most of the time without making the visualizations difficult to read.

These panels all use data collected from license_usage.log, type=RolloverSummary (daily totals). If your license master is down at its local midnight, it will not generate a RolloverSummary event for that day, and you will not see that day's data in these panels.

Split-by: no split, indexer, pool

These three split-by options are self-explanatory. Read about adding an indexer to a license pool and about license pools in previous chapters in this manual.

Split-by: source, source type, host, index

There are two things you should understand about these four split-by fields: report acceleration and squashing.

Improve performance by accelerating reports

Splitting by source, source type, and host uses license_usage.log type=Usage, which provides real-time usage statistics at one-minute intervals. We recommend accelerating the report that powers these split-by options on your license master. (Without acceleration, the search can be very slow, since it searches through 30 days worth of data that gets generated at a rate of one event per minute -- that's a lot of events!)

Acceleration for this report is disabled by default. To accelerate the report, click the link that shows up in the info message when you select one of these split-by values. You can also find the workflow for accelerating in Settings > Searches and reports > License usage data cube. See Accelerate reports in the Reporting Manual.

Note that report acceleration can take up to 10 minutes to start after you select it for the first time. Then Splunk software takes some amount time to build the acceleration summary -- typically a few to tens of minutes, depending on the amount of data being summarized. Only after the acceleration is finished building will performance improve for these split-by options.

After the first acceleration run, subsequent reports build on what's already there, keeping the report up-to-date (and the reporting fast). You should have a long wait only the first time you turn on report acceleration.

Important: Enable report acceleration only on your license master.

Configure how frequently the acceleration runs in savedsearches.conf, with auto_summarize. The default is every 10 minutes. Keep it frequent, to keep the workload small and steady. We put in a cron for every 10 minutes at the 3 minute mark. This is configurable in auto_summarize.cron_schedule.

Squashing

Every indexer periodically reports to license manager stats of the data indexed: broken down by source, source type, host, and index. If the number of distinct (source, source type, host, index) tuples grows over the squash_threshold, Splunk squashes the {host, source} values and only reports a breakdown by {sourcetype, index}. This is to prevent high memory usage and an unwieldy number of license_usage.log lines.

Because of squashing on the other fields, only the split-by source type and index will guarantee full reporting (every byte). Split by source and host do not guarantee full reporting necessarily, if those two fields represent many distinct values. Splunk reports the entire quantity indexed, but not the names. So you lose granularity (that is, you don't know who consumed that amount), but you still know what the amount consumed is.

Squashing is configurable (with care!) in server.conf, in the [license] stanza, with the squash_threshold setting. You can increase the value, but doing so can use a lot of memory, so consult a Splunk Support engineer before changing it.

LURV tells you (with a warning message in Splunk Web) if squashing has occurred.

If you find that you need the granular information, you can get it from metrics.log instead, using per_host_thruput.

Top 5 by average daily volume

The "Top 5" panel shows both average and maximum daily usage of the top five values for whatever split by field you've picked from the Split By menu.

Note that this selects the top five average (not peak) values. So, for example, say you have more than five source types. Source type F is normally much smaller than the others but has a brief peak. Source type F's max daily usage is very high, but its average usage might still be low (since it has all those days of very low usage to bring down its average). Since this panel selects the top five average values, source type F might still not show up in this view.

Use LURV

Read the next topic for a tip about configuring an alert based on a LURV panel.

PREVIOUS
Swap the license master
  NEXT
Use the license usage report view

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters