Overview of Splunk App for Chargeback
The Splunk App for Chargeback helps customers understand Splunk Cloud or Splunk Enterprise (On-Prem) usage by business hierarchy. Starting at the highest level, B-Units (Business Units) are comprised of departments, which are comprised of users.
Splunk App for Chargeback provides an easy-to-use experience to analyze how internal business units are leveraging Splunk. This app provides the framework necessary for Chargeback and/or Showback use cases for:
- Search Resource Usage (SRU)
- Active Searchable Storage: Splunk Cloud Dynamic Data Active Searchable Storage (DDAS) and On-Prem Storage usage
- Dynamic Data Active Archive (DDAA): Splunk Cloud only.
- Dynamic Data Self-Storage (DDSS): Splunk Cloud DDSS or On-Prem GCP or AWS S3 bucket.
The app provides the following functionalities to all Splunk customers:
- Framework for customers to build their own Chargeback and/or Showback models [Accounting and Utilization perspectively]
- The means to determine how many SRUs are allocated towards a company's business units, departments, and users associated with them [Accounting]
- The means to automatically determine how Splunk resources are being used by the various business units [Utilization]
- Ability to drill-down and break down the usage from a business level to down to user activity
- Ability to forecast SRU usage for the entire organization or by business unit using Splunk Machine Learning
- Accurately maintains up-to-date list of identities along with corresponding Business Units & Department information by way of indexing the data from sources like DB Connect, Active Directory, and several others
Search Resource Usage (SRU)
The app uses a formula to calculate an internal unit of measurement called: Search Resource Usage (SRU). The App summary job summarizes hourly the percentage of SRUs consumed by a given Job. A job is all of the executions together of any type by [shcluster_label, App, User, Search_Type, Provenances, Job]. For example: All runs of a scheduled job or dashboard on the same sh or shc by the same app, the same search type and provenance, the same user and job within the hour the measurement took place.
- During the summarization, the app uses the 8 enrichment principles to store information about the B-Units, Departments and users within these departments combination that were responsible for the usage measured using the logic described.
- SRUs do not replace or contradict Splunk Cloud SVCs or Splunk On-Prem vCPUs. SRUs is the estimated overhead search exhorts on the Splunk Platform to help organizations estimate usage so it can be associated with the various business units using the platform. In Splunk Cloud, the App fetches the SVCs used for the day/hour, uses the already defined B-Unit/Department information and then applies the SRU percentage calculated to estimate the amount of SVC's the B-Unit and their departments consumed that day/hour.
- Customers should use SRUs for Chargeback and Showback use cases only and not a replacement of SVCs or vCPUs. Customers should use the CMC dashboards to review their SVC usage.
- The splunk-system-user runs all data model and report accelerations regardless of the user that created these knowledge objects in addition it runs all scheduled jobs that got created by an App download and installed from Splunkbase and therefore it's important to understand that usage originating from this special user gets spread across multiple B-Units and departments based on the 8 enrichment principles and based on the SRU formula that calculates the percentage used by this user associated with a B-Unit/Department.
- The formula that drives SRUs uses these 6 metrics at calculation time:
- CPU usage from _introspection multiplied by configurable Weighted Average (9)
- Memory usage from _introspection multiplied by configurable Weighted Average (7)
- Runtime from _audit multiplied by configurable Weighted Average (3.5)
- Buckets searched from _audit multiplied by configurable Weighted Average (1.5)
- Raw events scanned from _audit multiplied by configurable Weighted Average (0.25)
- Sparseness from _audit multiplied by configurable Weighted Average (2.5)
The metrics have a configurable weighted average using real numbers (1-9) that can be applied by simply putting more emphasis on one metric over the other.
Customers can alter the weight if they think one metric should have a higher or lower weight versus the other by simply increasing or decreasing the emphasis.
- A value of 1 means that there is no reduction or increase
- A value less than 1 is reduction from what splunk produces
- A value greater than 1 means more emphasis or increase
Below is a diagram of the formula illustrated in the pie chart with the emphasis on each metric.
Your use of this app is subject to the Splunk General Terms.
Install or upgrade Splunk App for Chargeback
This documentation applies to the following versions of Splunk® App for Chargeback: current