Splunk® Insights for Infrastructure

Administer Splunk Insights for Infrastructure

Download manual as PDF

This documentation does not apply to the most recent version of Infrastructure. Click here for the latest version.
Download topic as PDF

Share Performance Data for Splunk Insights for Infrastructure

You can opt in to automatically share certain data about your license usage and deployment performance with Splunk Inc ("Splunk"). Splunk uses this data to make decisions about future product development, and in some cases to improve customer support.

Splunk apps

In addition to the data enumerated in this topic, the Splunk App for AWS collects additional usage data. See Share data in the Splunk App for AWS for details.

Summary of data sent to Splunk

The table below summarizes the data that your Splunk platform deployment can send to Splunk. Follow the links for more information.

The opt in/out settings are enabled as opt in by default. You can change these settings, such as selecting to opt out, after upgrading to Splunk Enterprise.

Type of data Enabled by default? How to opt in/out What the data is used for
License usage data Yes. Settings > Instrumentation May be used by field teams to improve a customer's implementation.
Anonymized usage data (not Web analytics) Yes. Settings > Instrumentation Used in aggregate to improve products and services.
Web analytics portion of anonymized usage data Yes. Settings > Instrumentation Used in aggregate to improve products and services.
Support usage data (not Web analytics) Yes. Settings > Instrumentation Used by Support and Customer Success teams to troubleshoot and improve a customer's implementation.
Web analytics portion of Support usage data Yes. Settings > Instrumentation Used by Support and Customer Success teams to troubleshoot and improve a customer's implementation.
Usage data collected by Splunk apps Consult the app documentation. Consult the app documentation. Consult the app documentation.
Diagnostic files No. Sent to Support by request. Used by Support to troubleshoot an open case.

Opt in or out of sharing usage data

If you are using the free tier of Splunk Insights for Infrastructure, participation in our analytics program is required. If you are updating or upgrading your license to a paid license, once you upload the new license, the instrumentation dialog re-displays with the option to enable or disable sharing performance data.

The first time you run Splunk Insights for Infrastructure as an admin or equivalent, you are presented with a dialog that has the following two check boxes:

  • Help make Splunk software better! I authorize collection of anonymized information about software usage so Splunk can improve its products and services.
  • Get better Support! I authorize collection of information about software usage so Splunk can provide improved support and services for my deployment. Data will be linked to my account based on my installed licenses.
  1. Select or deselect the check boxes to indicate your data sharing preferences.
  2. Click either Skip or OK.
    Option Description
    Skip Suppresses the modal permanently for the user who clicks Skip. Use this option to defer the decision to a different admin. Default opt-ins will apply unless changes are made from within the Settings.
    OK Confirm your choices and suppress the modal permanently for all users. The checkboxes are defaulted to send usage and support data. To opt-out of sending such information, de-select the checkboxes before clicking OK.

Opt in or out of sharing usage and license data from the Instrumentation page

You can opt in or out at any time by navigating to Settings > Instrumentation where you can select to send usage data and license data:

  • Anonymized Usage Data includes information about your deployment performance and usage, and includes session data.
  • Support Usage Data includes information about your software usage to help provide improved support and services.
  • License Usage Data includes information describing your active licenses and the amount of data you index.

If you opt out, the searches that gather the data on your system do not run, and no usage data is sent.

If, as a paid user, you upgrade your Splunk Insights for Infrastructure license, previous opt-out decisions persist until changed.

Types of data collected

Splunk Insights for Infrastructure can collect the following types of data:

Support usage data is the same as anonymized usage data, but the license GUID is persisted when it reaches Splunk.

Note that additional data might be collected by the Splunk App for AWS. See the app documentation for details.

Anonymized or Support usage data

Description Components Note
Active license group and subgroup, total license stack quota, license pool quota, license pool consumption, total license consumption, license stack type licensing.stack
License IDs licensing.stack Sent for license usage reporting as well as anonymized and Support reporting, but persisted only for users opting in to license usage or Support reporting.
Indexing volume, number of events, number of hosts, source type name usage.indexing.sourcetype
Number of active users usage.users.active

License usage data

Description Component(s) Note
Active license group and subgroup, total license stack quota, total license pool consumption, license stack type, license pool quota, license pool consumption licensing.stack
License IDs licensing.stack Sent for both reporting types, but persisted only for users opting in to license usage reporting.

Data samples

Anonymized, Support, and license usage data is sent to Splunk as a JSON packet that includes a few pieces of information like component name and deployment ID, in addition to the data for the specific component. Here is an example of a complete JSON packet:

{
  "component": "deployment.app",
  "data": {
    "name": "alert_logevent",
    "enabled": true,
    "version": "7.0.0",
    "host": "ip-10-222-17-130"
  },
  "visibility": "anonymous,support",
  "timestamp": 1502845738,
  "date": "2017-08-15",
  "transactionID": "01AFCDA0-2857-423A-E60D-483007F38C1A",
  "executionID": "2A8037F2793D5C66F61F5EE1F294DC",
  "version": "2",
  "deploymentID": "9a003584-6711-5fdc-bba7-416de828023b"
}

For ease of use, the following tables show examples of only the "data" field from the JSON event.

Anonymized or Support usage data

Click Expand to view examples of the data that might be collected.

Component Data category Example
deployment.app Apps installed on search head and peers
{
    "name": "alert_logevent",
    "enabled": true,
    "version": "7.0.0",
    "host": "ip-10-222-17-130"
  }
deployment.forwarders Forwarder architecture, forwarding volume
{
    "hosts": 168,
    "instances": 497,
    "architecture": "x86_64",
    "os": "Linux",
    "splunkVersion": "6.5.0",
    "type": "uf",
    "bytes": {
        "min": 389,
        "max": 2291497,
        "total": 189124803,
        "p10": 40960,
        "p20": 139264,
        "p30": 216064,
        "p40": 269312,
        "p50": 318157,
        "p60": 345088,
        "p70": 393216,
        "p80": 489472,
        "p90": 781312
    }
}
deployment.index Indexes per search peer
{
    "name": "_audit",
    "type": "events",
    "total": {
      "rawSizeGB": null,
      "maxTime": 1502845730.0,
      "events": 1,
      "maxDataSizeGB": 488.28,
      "currentDBSizeGB": 0.0,
      "minTime": 1502845719.0,
      "buckets": 0
    },
    "host": "ip-10-222-17-130",
    "buckets": {
      "thawed": {
        "events": 0,
        "sizeGB": 0.0,
        "count": 0
      },
      "warm": {
        "sizeGB": 0.0,
        "count": 0
      },
      "cold": {
        "events": 0,
        "sizeGB": 0.0,
        "count": 0
      },
      "coldCapacityGB": "unlimited",
      "hot": {
        "sizeGB": 0.0,
        "max": 3,
        "count": 0
      },
      "homeEventCount": 0,
      "homeCapacityGB": "unlimited"
    },
    "app": "system"
  }
}
deployment.licensing.slave License slaves
{
    "master": "9d5c20b4f7cc",
    "slave": {
      "pool": "auto_generated_pool_enterprise",
      "guid": "A5FD9178-2E76-4149-9FGF-55DCE35E38E7",
      "host": "9d5c20b4f7cc"
    }
  }
deployment.node Host architecture, utilization
{  
    "guid": "123309CB-ABCD-4BC9-9B6A-185316600F23",
    "host": "docteam-unix-3",
    "os": "Linux",
    "osExt": "Linux",
    "osVersion": "3.10.0-123.el7.x86_64",
    "splunkVersion": "6.5.0",
    "cpu": {  
        "coreCount": 2,
        "utilization": {  
            "min": 0.01,
            "p10": 0.01,
            "p20": 0.01,
            "p30": 0.01,
            "p40": 0.01,
            "p50": 0.02,
            "p60": 0.02,
            "p70": 0.03,
            "p80": 0.03,
            "p90": 0.05,
            "max": 0.44
        },
        "virtualCoreCount": 2,
        "architecture": "x86_64"
    },
    "memory": {  
        "utilization": {  
            "min": 0.26,
            "max": 0.34,
            "p10": 0.27,
            "p20": 0.28,
            "p30": 0.28,
            "p40": 0.28,
            "p50": 0.29,
            "p60": 0.29,
            "p70": 0.29,
            "p80": 0.3,
            "p90": 0.31
        },
        "capacity": 3977003401
    },
    "disk": {  
        "fileSystem": "xfs",
        "capacity": 124014034944,
        "utilization": 0.12
    }
}
licensing.stack Licensing quota and consumption
{
    "type": "download-trial",
    "guid": "4F735357-F278-4AD2-BBAB-139A85A75DBB",
    "product": "enterprise",
    "name": "download-trial",
    "licenseIDs": [
        "553A0D4F-3B7B-4AD5-B241-89B94386A07F"
    ],
    "quota": 524288000,
    "pools": [
        {
            "quota": 524288000,
            "consumption": 304049405
        }
    ],
    "consumption": 304049405,
    "subgroup": "Production",
    "host": "docteam-unix-9"
}
performance.indexing Indexing throughput and volume
{
    "host": "docteam-unix-5",
    "thruput": {
        "min": 412,
        "max": 9225,
        "total": 42980219,    
        "p10": 413,
        "p20": 413,
        "p30": 431,
        "p40": 450,
        "p50": 474,
        "p60": 488,
        "p70": 488,
        "p80": 488,
        "p90": 518
    }
}
performance.search Search runtime statistics
{
    "latency": {
        "min": 0.01,
        "max": 1.33,
        "p10": 0.02,
        "p20": 0.02,
        "p30": 0.05,
        "p40": 0.16,
        "p50": 0.17,
        "p60": 0.2,
        "p70": 0.26,        
        "p80": 0.34,
        "p90": 0.8
    }
}
app.session.search.interact
app.session.pageview
{
        "app": "launcher",
        "page": "home"
    }
app.session.session_start
{
        "app": "launcher",
        "splunkVersion": "6.6.0",
        "os": "Ubuntu",
        "browser": "Firefox",
        "browserVersion": "38.0",
        "locale": "en-US",
        "device": "Linux x86_64",
        "osVersion": "not available",
        "page": "home",
        "guid": "2550FC44-64E5-43P5-AS44-6ABD84C91E42"
    }
usage.app.page App page users and views
{
    "app": "search",
    "locale": "en-US",
    "occurrences": 1,
    "page": "datasets",
    "users": 1
}
usage.indexing.sourcetype Indexing by source type
{
    "name": "vendor_sales",
    "bytes": 2026348,
    "events": 30245,
    "hosts:" 1
}
usage.search.concurrent Search concurrency
{
    "host": "docteam-unix-5"
    "searches": {
        "min": 1,
        "max": 11,
        "p10": 1,
        "p20": 1,
        "p30": 1,
        "p40": 1,
        "p50": 1,
        "p60": 1,
        "p70": 1,
        "p80": 2,
        "p90": 3
    }
}
usage.search.type Searches by type
{
    "ad-hoc": 1428,
    "scheduled": 225
}
usage.users.active Active users
{
    "active": 23
}

License usage data

Click Expand to view examples of the data that might be collected.

Component Data category Example
licensing.stack Licensing quota and consumption
{
    "type": "download-trial",
    "guid": "4F735357-F278-4AD2-BBAB-139A85A75DBB",
    "product": "light",
    "name": "download-trial",
    "licenseIDs": [
        "553A0D4F-3B7B-4AD5-B241-89B94386A07F"
    ],
    "quota": 524288000,
    "pools": [
        {
            "quota": 524288000,
            "consumption": 304049405
        }
    ],
    "consumption": 304049405,
    "subgroup": "Production",
    "host": "docteam-unix-9"
}

What data is not collected

The following kinds of data are not collected:

  • Unhashed usernames or passwords.
  • Indexed data that you ingest into your Splunk platform instance.

How usage data is handled

When you enable instrumentation, usage data is transported directly to Splunk through its MINT infrastructure. Data received is securely stored within on-premises servers at Splunk with restricted access.

Anonymized usage data is aggregated, and is used by Splunk to analyze usage patterns so that Splunk can improve its products and benefit customers. License IDs collected are used only to verify that data is received from a valid Splunk product and persisted only for users opting into license usage reporting. These license IDs help Splunk analyze how different Splunk products are being deployed across the population of users and are not attached to any anonymized usage data.

See the Splunk Privacy Policy for more information.

Feature footprint

Anonymized, Support, and license usage data is summarized and sent once per day, starting at 3:05 a.m.

Session data is sent from your browser as the events are generated. The performance implications are negligible.

In order for your Splunk Insights for Infrastructure deployment to send data to Splunk, it must be connected to the internet with no firewall rules or proxy server configurations that prevent outbound traffic to https://quickdraw.splunk.com/telemetry/destination or https://*.api.splkmobile.com. If necessary, whitelist these URLs for outbound traffic.

About searches

If you opt in to anonymized, Support, or license usage data reporting, a few instances in your Splunk Insights for Infrastructure deployment collect data through ad hoc searches. Most of the searches run in sequence, starting at 3:05 a.m. on the node that runs the searches. All searches are triggered with a scripted input. See Configure the priority of scheduled reports.

Which instance runs the searches and sends data to Splunk

One primary instance in your deployment runs the distributed searches to collect most of the usage data. This primary instance is also responsible for sending the data to Splunk. Which instance acts as the primary instance depends on the details of your deployment:

  • If indexer clustering is enabled, the cluster master is the primary instance. If you have more than one indexer cluster, each cluster master is a primary instance.
  • If search head clustering is enabled but not indexer clustering, each search head captain is a primary instance.
  • If your deployment does not use clustering, the searches run on a search head.

If you opt out of instrumentation, the searches on this primary instance do not run.

Additional instances in your deployment run a smaller number of searches, depending on colocation details. See Anonymized or Support usage data. If you opt into instrumentation, the data from these searches is collected by the primary node and sent to Splunk. If you opt out, these searches still run, but no data is sent.

Instrumentation in the Splunk Insights for Infrastructure file system

After the searches run, the data is packaged and sent to Splunk, as well as indexed to the _telemetry index. The _telemetry index is retained for two years by default and is limited in size to 256 MB, and does not count against your retention license.

The instrumentation app resides in the file system at $SPLUNK_HOME/etc/apps/splunk_instrumentation.

PREVIOUS
Licensing for Splunk Insights for Infrastructure
  NEXT
System Requirements for Splunk Insights for Infrastructure

This documentation applies to the following versions of Splunk® Insights for Infrastructure: 1.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters