Splunk® App for Chargeback

Use the Splunk App for Chargeback

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Overview of Splunk App for Chargeback

The Splunk App for Chargeback helps customers understand Splunk Cloud or Splunk Enterprise (On-Prem) usage by business hierarchy. Starting at the highest level, B-Units (Business Units) are comprised of departments, which are comprised of users.


Splunk App for Chargeback provides an easy-to-use experience to analyze how internal business units are leveraging Splunk. This app provides the framework necessary for Chargeback and/or Showback use cases for:

  1. Search Resource Usage (SRU)
  2. Active Searchable Storage: Splunk Cloud Dynamic Data Active Searchable Storage (DDAS) and On-Prem Storage usage
  3. Dynamic Data Active Archive (DDAA): Splunk Cloud only.
  4. Dynamic Data Self-Storage (DDSS): Splunk Cloud DDSS or On-Prem GCP or AWS S3 bucket.

The app provides the following functionalities to all Splunk customers:

  • Framework for customers to build their own Chargeback and/or Showback models [Accounting and Utilization perspectively]
  • The means to determine how many SRUs are allocated towards a company's business units, departments, and users associated with them [Accounting]
  • The means to automatically determine how Splunk resources are being used by the various business units [Utilization]
  • Ability to drill-down and break down the usage from a business level to down to user activity
  • Ability to forecast SRU usage for the entire organization or by business unit using Splunk Machine Learning
  • Accurately maintains up-to-date list of identities along with corresponding Business Units & Department information by way of indexing the data from sources like DB Connect, Active Directory, and several others

Search Resource Usage (SRU)

The app uses a formula to calculate an internal unit of measurement called: Search Resource Usage (SRU). The App summary job summarizes hourly the percentage of SRUs consumed by a given Job. A job is all of the executions together of any type by [shcluster_label, App, User, Search_Type, Provenances, Job]. For example: All runs of a scheduled job or dashboard on the same sh or shc by the same app, the same search type and provenance, the same user and job within the hour the measurement took place.

  • During the summarization, the app uses the 8 enrichment principles to store information about the B-Units, Departments and users within these departments combination that were responsible for the usage measured using the logic described.
  • SRUs do not replace or contradict Splunk Cloud SVCs or Splunk On-Prem vCPUs. SRUs is the estimated overhead search exhorts on the Splunk Platform to help organizations estimate usage so it can be associated with the various business units using the platform. In Splunk Cloud, the App fetches the SVCs used for the day/hour, uses the already defined B-Unit/Department information and then applies the SRU percentage calculated to estimate the amount of SVC's the B-Unit and their departments consumed that day/hour.
  • Customers should use SRUs for Chargeback and Showback use cases only and not a replacement of SVCs or vCPUs. Customers should use the CMC dashboards to review their SVC usage.
  • The splunk-system-user runs all data model and report accelerations regardless of the user that created these knowledge objects in addition it runs all scheduled jobs that got created by an App download and installed from Splunkbase and therefore it's important to understand that usage originating from this special user gets spread across multiple B-Units and departments based on the 8 enrichment principles and based on the SRU formula that calculates the percentage used by this user associated with a B-Unit/Department.
  • The formula that drives SRUs uses these 6 metrics at calculation time:
  1. CPU usage from _introspection multiplied by configurable Weighted Average (9)
  2. Memory usage from _introspection multiplied by configurable Weighted Average (7)
  3. Runtime from _audit multiplied by configurable Weighted Average (3.5)
  4. Buckets searched from _audit multiplied by configurable Weighted Average (1.5)
  5. Raw events scanned from _audit multiplied by configurable Weighted Average (0.25)
  6. Sparseness from _audit multiplied by configurable Weighted Average (2.5)

The metrics have a configurable weighted average using real numbers (1-9) that can be applied by simply putting more emphasis on one metric over the other.

Customers can alter the weight if they think one metric should have a higher or lower weight versus the other by simply increasing or decreasing the emphasis.

  • A value of 1 means that there is no reduction or increase
  • A value less than 1 is reduction from what splunk produces
  • A value greater than 1 means more emphasis or increase

Below is a diagram of the formula illustrated in the pie chart with the emphasis on each metric.

This diagram shows the configurable SRU percentage weight formula

Your use of this app is subject to the Splunk General Terms.

Last modified on 31 August, 2022
Install or upgrade Splunk App for Chargeback

This documentation applies to the following versions of Splunk® App for Chargeback: current

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters