Related Answers
Download topic as PDF
About the Splunk Enterprise license usage report view
The license usage report view (LURV) on your deployment's license master is consolidated resource for questions related to your Splunk license capacity and indexed volume. Directly from the Splunk Licensing page, you can see your daily indexing volume, any license warnings, and a view of the last 30 days of your license usage with multiple reporting options.
LURV displays detailed license usage information for your license pool. The dashboard is logically divided into two parts: one displays information about today's license usage, and any warning information in the current rolling window; the other shows historic license usage during the past 30 days.
For every panel in LURV, you can click "Open in search" at the bottom left of the panel to interact with the search.
Access the license usage report view
Find LURV in Settings > Licensing > Usage report on your deployment's license master. (If your deployment is only one instance, your instance is its own license master.)
Today tab
When you first arrive at LURV, you'll see five panels under the "Today" tab. These panels show the status of license usage and the warnings for the day that hasn't yet finished. The licenser's day ends at midnight in whichever time zone the license master is set to.
All the panels in the "Today" tab query the Splunk REST API.
Today's license usage panel
This panel gauges license usage for today, as well as the total daily license quota across all pools.
Today's license usage per pool panel
This panel shows the license usage for each pool as well as the daily license quota for each pool.
Today's percentage of daily license quota used per pool panel
This panel shows what percentage of the daily license quota has been indexed by each pool. The percentage is displayed on a logarithmic scale.
Pool usage warnings panel
This panel shows the warnings, both soft and hard, that each pool has received in the past 30 days (or since the last license reset key was applied). Read "About license violations" in this manual to learn more about soft and hard warnings, and license violations.
Slave usage warnings panel
For each license slave, this panel shows: the number of warnings, pool membership, and whether the slave is in violation.
Previous 30 Days tab
Clicking on the "Previous 30 Days" tab reveals five more panels and several drop-down options.
All visualizations in these panels limit the number of host, source, source type, index, pool (any field you split by) that are plotted. If you have more than 10 distinct values for any of these fields, the values after the 10th are labeled "Other." We've set the maximum number of values plotted to 10 using timechart. We hope this gives you enough information most of the time without making the visualizations difficult to read.
These panels all use data collected from license_usage.log, type=RolloverSummary (daily totals). If your license master is down at its local midnight, it will not generate a RolloverSummary event for that day, and you will not see that day's data in these panels.
Split-by: no split, indexer, pool
These three split-by options are self-explanatory.
Split-by: source, source type, host, index
There are two things you should understand about these four split-by fields: report acceleration and squashing.
Improve performance by accelerating reports
Splitting by source, source type, and host uses license_usage.log type=Usage, which provides real-time usage statistics at one-minute intervals. We recommend accelerating the report that powers these split-by options on your license master. (Without acceleration, the search can be very slow, since it searches through 30 days worth of data that gets generated at a rate of one event per minute -- that's a lot of events!)
Acceleration for this report is disabled by default. To accelerate the report, click the link that shows up in the info message when you select one of these split-by values. You can also find the workflow for accelerating in Settings > Searches and reports > License usage data cube. See Accelerate reports in the Reporting Manual.
Note that report acceleration can take up to 10 minutes to start after you select it for the first time. Then Splunk software takes some amount time to build the acceleration summary -- typically a few to tens of minutes, depending on the amount of data being summarized. Only after the acceleration is finished building will performance improve for these split-by options.
After the first acceleration run, subsequent reports build on what's already there, keeping the report up-to-date (and the reporting fast). You should have a long wait only the first time you turn on report acceleration.
Important: Enable report acceleration only on your license master.
Configure how frequently the acceleration runs in savedsearches.conf, with auto_summarize. The default is every 10 minutes. Keep it frequent, to keep the workload small and steady. We put in a cron for every 10 minutes at the 3 minute mark. This is configurable in auto_summarize.cron_schedule.
Squashing
Every indexer periodically reports to license manager stats of the data indexed: broken down by source, source type, host, and index. If the number of distinct (source, source type, host, index) tuples grows over the squash_threshold, Splunk squashes the {host, source} values and only reports a breakdown by {sourcetype, index}. This is to prevent high memory usage and an unwieldy number of license_usage.log lines.
Because of squashing on the other fields, only the split-by source type and index will guarantee full reporting (every byte). Split by source and host do not guarantee full reporting necessarily, if those two fields represent many distinct values. Splunk reports the entire quantity indexed, but not the names. So you lose granularity (that is, you don't know who consumed that amount), but you still know what the amount consumed is.
Squashing is configurable (with care!) in server.conf, in the [license] stanza, with the squash_threshold setting. You can increase the value, but doing so can use a lot of memory, so consult a Splunk Support engineer before changing it.
LURV tells you (with a warning message in Splunk Web) if squashing has occurred.
If you find that you need the granular information, you can get it from metrics.log instead, using per_host_thruput.
Top 5 by average daily volume
The "Top 5" panel shows both average and maximum daily usage of the top five values for whatever split by field you've picked from the Split By menu.
Note that this selects the top five average (not peak) values. So, for example, say you have more than five source types. Source type F is normally much smaller than the others but has a brief peak. Source type F's max daily usage is very high, but its average usage might still be low (since it has all those days of very low usage to bring down its average). Since this panel selects the top five average values, source type F might still not show up in this view.
Use LURV
Read the next topic for a tip about configuring an alert based on a LURV panel.
|
PREVIOUS About license violations |
NEXT Troubleshoot the license usage report view |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12
Feedback submitted, thanks!