Splunk® Enterprise

Admin Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Share data in Splunk Enterprise

You can opt in to automatically share certain data about your license usage and deployment performance with Splunk, Inc. Splunk uses this data to make decisions about future product development, and does not share your information with any third parties.

Opt in or out

You can choose to send both, either, or neither of two types of data:

  • License usage data describing your active licenses and the amount of data you index.
  • Anonymized usage data about your deployment performance.

The first time you run Splunk Web on a search head as an admin or equivalent, you are presented with a modal. The options on the modal are as follows:

  • Click Skip to suppress the modal permanently for the user who clicks Skip. Use this option to defer the decision to a different admin.
  • Click OK to confirm your selection and suppress the modal permanently for all users.

Neither category of data is sent unless you click OK with one or both boxes checked. You can opt in or out at any time by navigating to Settings > Instrumentation.

If you opt out, the searches that gather the data on your system do not run, and no data is sent.

The ability to enable or disable instrumentation is controlled by the edit_telemetry_settings capability.

What data is collected

For either type of data, you can view what data has been sent in Splunk Web.

  1. Navigate to Settings > Instrumentation.
  2. Under the relevant data category ("Anonymized usage data" or "License usage data"), click View Log.
  3. Click View Data.

This log of data is available only after the first run of the collection (see Feature footprint). To inspect the type of data that gets sent before opting in on your production environment, you can opt in on your sandbox environment.

Anonymized usage data is not tied to customer accounts, and is used only in aggregate for analysis. Note that anonymized usage data is not encrypted when it is collected. Data received is securely stored within on-premise servers at Splunk, with access restricted to aggregate analyses only. License IDs collected are used only to verify that data is received from a valid Splunk product, and to help analyze how different Splunk products are being deployed across the population of users.

The following table describes the data collected if you opt in to both programs. The data is in JSON format tagged with a field named "component."

Description Component(s) Note
Active license group and subgroup, total license stack quota, total license pool consumption, license stack type, license pool quota, license pool consumption licensing.stack
License IDs licensing.stack Sent for both reporting types, but persisted only for users opting in to license usage reporting.
Number of nodes in indexer cluster, replication factor and search factor for indexer cluster deployment.clustering.indexer
GUID, host, number of cores by type (virtual/physical), CPU architecture, memory size, storage (partition) capacity, OS/version, Splunk version deployment.node For each indexer or search head
Number of hosts, number of Splunk software instances, OS/version, CPU architecture, Splunk software version, distribution of forwarding volume deployment.forwarders For forwarders
Core utilization, storage utilization, memory usage, indexing throughput, search latency deployment.node performance.indexing performance.search
Indexing volume, number of events, number of hosts, source type name usage.indexing.sourcetype
Number of active users usage.users.active
Number of searches of each type, distribution of concurrent searches usage.search.type usage.search.concurrent
App name, page name, locale, number of users, number of page loads usage.app.page

Data samples

Click Expand to view examples of the data that is collected.

Component Data category Example
deployment.clustering.indexer Clustering configuration
    "host": "docteam-unix-5",
    "summaryReplication": true,
    "siteReplicationFactor": null,
    "enabled": true,
    "multiSite": false,
    "searchFactor": 2,
    "siteSearchFactor": null,
    "timezone": "-0700",
    "replicationFactor": 3
deployment.forwarders Forwarder architecture, forwarding volume
    "hosts": 168,
    "instances": 497,
    "architecture": "x86_64",
    "os": "Linux",
    "splunkVersion": "6.5.0",
    "type": "uf",
    "bytes": {
        "min": 389,
        "max": 2291497,
        "total": 189124803,
        "p10": 40960,
        "p20": 139264,
        "p30": 216064,
        "p40": 269312,
        "p50": 318157,
        "p60": 345088,
        "p70": 393216,
        "p80": 489472,
        "p90": 781312
deployment.node Host architecture, utilization
    "guid": "123309CB-ABCD-4BB9-9B6A-185316600F23",
    "host": "docteam-unix-3",
    "os": "Linux",
    "osExt": "Linux",
    "osVersion": "3.10.0-123.el7.x86_64",
    "splunkVersion": "6.5.0",
    "cpu": {  
        "coreCount": 2,
        "utilization": {  
            "min": 0.01,
            "p10": 0.01,
            "p20": 0.01,
            "p30": 0.01,
            "p40": 0.01,
            "p50": 0.02,
            "p60": 0.02,
            "p70": 0.03,
            "p80": 0.03,
            "p90": 0.05,
            "max": 0.44
        "virtualCoreCount": 2,
        "architecture": "x86_64"
    "memory": {  
        "utilization": {  
            "min": 0.26,
            "max": 0.34,
            "p10": 0.27,
            "p20": 0.28,
            "p30": 0.28,
            "p40": 0.28,
            "p50": 0.29,
            "p60": 0.29,
            "p70": 0.29,
            "p80": 0.3,
            "p90": 0.31
        "capacity": 3977003401
    "disk": {  
        "fileSystem": "xfs",
        "capacity": 124014034944,
        "utilization": 0.12
licensing.stack Licensing quota and consumption
    "type": "download-trial",
    "guid": "4F735357-F278-4AD2-BBAB-139A85A75DBB",
    "product": "enterprise",
    "name": "download-trial",
    "licenseIDs": [
    "quota": 524288000,
    "pools": [
            "quota": 524288000,
            "consumption": 304049405
    "consumption": 304049405,
    "subgroup": "Production",
    "host": "docteam-unix-9"
performance.indexing Indexing throughput and volume
    "host": "docteam-unix-5",
    "thruput": {
        "min": 412,
        "max": 9225,
        "total": 42980219,    
        "p10": 413,
        "p20": 413,
        "p30": 431,
        "p40": 450,
        "p50": 474,
        "p60": 488,
        "p70": 488,
        "p80": 488,
        "p90": 518
performance.search Search runtime statistics
    "latency": {
        "min": 0.01,
        "max": 1.33,
        "p10": 0.02,
        "p20": 0.02,
        "p30": 0.05,
        "p40": 0.16,
        "p50": 0.17,
        "p60": 0.2,
        "p70": 0.26,        
        "p80": 0.34,
        "p90": 0.8
usage.app.page App page users and views
    "app": "search",
    "locale": "en-US",
    "occurrences": 1,
    "page": "datasets",
    "users": 1
usage.indexing.sourcetype Indexing by source type
    "name": "vendor_sales",
    "bytes": 2026348,
    "events": 30245,
    "hosts:" 1
usage.search.concurrent Search concurrency
    "host": "docteam-unix-5"
    "searches": {
        "min": 1,
        "max": 11,
        "p10": 1,
        "p20": 1,
        "p30": 1,
        "p40": 1,
        "p50": 1,
        "p60": 1,
        "p70": 1,
        "p80": 2,
        "p90": 3
usage.search.type Searches by type
    "ad-hoc": 1428,
    "scheduled": 225
usage.users.active Active users
    "active": 23

What data is not collected

The following kinds of data are not collected:

  • Usernames or passwords.
  • Indexed data that you ingest into your Splunk platform instance.

Why send license usage data

Certain license programs require that you report your license usage. The easiest way to do this is to opt in to automatically send this information to Splunk.

If you do not opt in to automatic license data sharing, you can send this data manually. On a search head, log into Splunk Web. Select Settings > Instrumentation and follow the instructions for exporting the data to your local directory.

Feature footprint

The data is summarized and sent once per day, starting at 3:05 a.m.

About searches

If you opt in, one instance in your Splunk Enterprise deployment collects data through ad hoc searches. All searches run in sequence, starting at 3:05 a.m. on the node that runs the searches. All searches are triggered with a scripted input. See Configure the priority of scheduled reports.

Which node runs the searches

Only one node in your deployment runs the searches to collect the usage data. Which instance that is depends on the details of your deployment:

  • If indexer clustering is enabled, the searches run on the cluster master.
  • If search head clustering is enabled but not indexer clustering, the searches run on the search head captain.
  • If your deployment does not use clustering, the searches run on a search head.

Instrumentation in the Splunk Enterprise file system

After the searches run, the data is packaged and sent to Splunk, as well as indexed to the _telemetry index. The _telemetry index is retained for two years by default and is limited in size to 256 MB.

The instrumentation app resides in the file system at $SPLUNK_HOME/etc/apps/splunk_instrumentation.

Last modified on 22 June, 2018
Secure your configuration
How Splunk Enterprise licensing works

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters