Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About the Splunk License Usage Report View

Introduction to the License Usage Report View

The License Usage Report View (LURV) is Splunk's new consolidated resource for questions related to your license capacity and indexed volume. It provides a fast and easy approach to determine the consumption of your Splunk license. Directly from the Splunk Licensing page, get immediate insight into your daily Splunk indexing volume, as well as any license warnings. In addition, get a comprehensive view of the last 30 days of your Splunk usage with multiple reporting options.

LURV displays detailed license usage information for your license pool. The dashboard is logically divided into two parts: one displays information about today's license usage, and any warning information in the current rolling window; the other shows historic license usage during the past 30 days.

For every panel in LURV, you can click "Open in search" at the bottom left of the panel. This lets you interact with the search.

Access the license usage report view

Find LURV in Settings > Licensing > Usage report.


Access LURV on your deployment's license master. (If your deployment is only one instance, your instance is its own license master.)

Today tab

When you first arrive at LURV, you'll see five panels under the "Today" tab. These panels show the status of license usage and the warnings for the day that hasn't yet finished. The licenser's day ends at midnight in whichever time zone the license master is set to.

All the panels in the "Today" tab query the Splunk REST API.

Today's license usage panel

This panel gauges license usage for today, as well as the total daily license quota across all pools.

Today's license usage per pool panel

This panel shows the license usage for each pool as well as the daily license quota for each pool.

Today's percentage of daily license quota used per pool panel

This panel shows what percentage of the daily license quota has been indexed by each pool. The percentage is displayed on a logarithmic scale.

Pool warning information panel

This panel shows the warnings, both soft and hard, that each pool has received in the past 30 days (or since the last license reset key was applied). Read "About license violations" in this manual to learn more about soft and hard warnings, and license violations.

Slave warning information panel

For each slave, this panel shows: the number of warnings, pool membership, and whether it's in violation.

Previous 30 Days tab

Clicking on the "Previous 30 Days" tab reveals five more panels and several drop-down options.

All visualizations in these panels limit the number of host, source, source type, index, pool (any field you split by) that are plotted. If you have more than 10 distinct values for any of these fields, the values after the 10th are labeled "Other." We've set the maximum number of values plotted to 10 using timechart. We hope this gives you enough information most of the time without making the visualizations difficult to read.

These panels all use data collected from license_usage.log, type=RolloverSummary (daily totals). If your license master is down at its local midnight, it will not generate a RolloverSummary event for that day, and you will not see that day's data in these panels.

Split-by: no split, indexer, pool

These three split-by options are self-explanatory. Read about adding an indexer to a license pool and about license pools in previous chapters in this manual.

Split-by: source, source type, host, index

There are two things you should understand about these four split-by fields: report acceleration and squashing.

Report acceleration

Splitting by source, source type, and host uses license_usage.log type=Usage, which provides real-time usage statistics at one-minute intervals. We recommend accelerating the report that powers these split-by options on your license master. (Without acceleration, the search can be very slow, since it searches through 30 days worth of data that gets generated at a rate of one event per minute -- that's a lot of events!)

Acceleration for this report is disabled by default. To accelerate the report, click the link that shows up in the info message when you select one of these split-by values. You can also find the workflow for accelerating in Settings > Searches and reports > License usage data cube. Read "Accelerate reports" in the Reporting Manual.

Note that report acceleration can take up to 10 minutes to start after you select it for the first time. Then Splunk will take some amount time to build the acceleration summary -- typically a few to tens of minutes, depending on the amount of data it's summarizing. Only after the acceleration is finished building will you see faster performance for these split-by options.

But after the first acceleration run, subsequent reports will build on what's already there, keeping the report up-to-date (and the reporting fast). You should only have a long wait the very first time you turn on report acceleration.

Important: Enable report acceleration only on your license master.

Configure how frequently the acceleration runs in savedsearches.conf, with auto_summarize. The default is every 10 minutes. Keep it frequent, to keep the workload small and steady. We put in a cron for every 10 minutes at the 3 minute mark. This is configurable in auto_summarize.cron_schedule.


Every indexer periodically reports to license manager stats of the data indexed: broken down by source, source type, host, and index. If the number of distinct (source, source type, host, index) tuples grows over the squash_threshold, Splunk squashes the {host, source} values and only reports a breakdown by {sourcetype, index}. This is to prevent explosions in memory and license_usage.log lines.

Because of squashing on the other fields, only the split-by source type and index will guarantee full reporting (every byte). Split by source and host do not guarantee full reporting necessarily, if those two fields represent many distinct values. Splunk reports the entire quantity indexed, but not the names. So you lose granularity (that is, you don't know who consumed that amount), but you still know what the amount consumed is.

Squashing is configurable (with care!) in server.conf, in the [license] stanza, with the squash_threshold setting. You can increase the value, but doing so can use a lot of memory, so consult a Splunk Support engineer before changing it.

LURV will always tell you (with a warning message in the UI) if squashing has occurred.

If you find that you need the granular information, you can get it from metrics.log instead, using per_host_thruput.

Top 5 by average daily volume

The "Top 5" panel shows both average and maximum daily usage of the top five values for whatever split by field you've picked from the Split By menu.

Note that this selects the top five average (not peak) values. So, for example, say you have more than five source types. Source type F is normally much smaller than the others but has a brief peak. Source type F's max daily usage is very high, but its average usage might still be low (since it has all those days of very low usage to bring down its average). Since this panel selects the top five average values, source type F might still not show up in this view.


Read the next topic for a tip about configuring an alert based on a LURV panel.

Last modified on 04 November, 2014
About license violations
Use the license usage report view

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters