Related Answers
Download topic as PDF
You can opt in to automatically share certain data about your license usage and deployment performance with Splunk, Inc. Splunk uses this data to make decisions about future product development, and does not share your information with any third parties.
Opt in or out
You can choose to send both, either, or neither of two types of data:
- License usage data describing your active licenses and the amount of data you index.
- Anonymized usage data about your deployment performance.
The first time you run Splunk Web on a search head as an admin or equivalent, you are presented with a modal. The options on the modal are as follows:
- Click Skip to suppress the modal permanently for the user who clicks Skip. Use this option to defer the decision to a different admin.
- Click OK to confirm your selection and suppress the modal permanently for all users.
Neither category of data is sent unless you click OK with one or both boxes checked. You can opt in or out at any time by navigating to Settings > Instrumentation.
If you opt out, the searches that gather the data on your system do not run, and no data is sent.
The ability to enable or disable instrumentation is controlled by the edit_telemetry_settings capability.
What data is collected
For either type of data, you can view what data has been sent in Splunk Web.
- Navigate to Settings > Instrumentation.
- Under the relevant data category ("Anonymized usage data" or "License usage data"), click View Log.
- Click View Data.
This log of data is available only after the first run of the collection (see Feature footprint). To inspect the type of data that gets sent before opting in on your production environment, you can opt in on your sandbox environment.
Anonymized usage data is not tied to customer accounts, and is used only in aggregate for analysis. Note that anonymized usage data is not encrypted when it is collected. Data received is securely stored within on-premise servers at Splunk, with access restricted to aggregate analyses only. License IDs collected are used only to verify that data is received from a valid Splunk product, and to help analyze how different Splunk products are being deployed across the population of users.
The following table describes the data collected if you opt in to both programs. The data is in JSON format tagged with a field named "component."
| Description | Component(s) | Note |
|---|---|---|
| Active license group and subgroup, total license stack quota, total license pool consumption, license stack type, license pool quota, license pool consumption | licensing.stack
|
|
| License IDs | licensing.stack
|
Sent for both reporting types, but persisted only for users opting in to license usage reporting. |
| Number of nodes in indexer cluster, replication factor and search factor for indexer cluster | deployment.clustering.indexer
|
|
| GUID, host, number of cores by type (virtual/physical), CPU architecture, memory size, storage (partition) capacity, OS/version, Splunk version | deployment.node
|
For each indexer or search head |
| Number of hosts, number of Splunk software instances, OS/version, CPU architecture, Splunk software version, distribution of forwarding volume | deployment.forwarders
|
For forwarders |
| Core utilization, storage utilization, memory usage, indexing throughput, search latency | deployment.node performance.indexing performance.search
|
|
| Indexing volume, number of events, number of hosts, source type name | usage.indexing.sourcetype
|
|
| Number of active users | usage.users.active
|
|
| Number of searches of each type, distribution of concurrent searches | usage.search.type usage.search.concurrent
|
|
| App name, page name, locale, number of users, number of page loads | usage.app.page
|
Data samples
What data is not collected
The following kinds of data are not collected:
- Usernames or passwords.
- Indexed data that you ingest into your Splunk platform instance.
Why send license usage data
Certain license programs require that you report your license usage. The easiest way to do this is to opt in to automatically send this information to Splunk.
If you do not opt in to automatic license data sharing, you can send this data manually. On a search head, log into Splunk Web. Select Settings > Instrumentation and follow the instructions for exporting the data to your local directory.
Feature footprint
The data is summarized and sent once per day, starting at 3:05 a.m.
About searches
If you opt in, one instance in your Splunk Enterprise deployment collects data through ad hoc searches. All searches run in sequence, starting at 3:05 a.m. on the node that runs the searches. All searches are triggered with a scripted input. See Configure the priority of scheduled reports.
Which node runs the searches
Only one node in your deployment runs the searches to collect the usage data. Which instance that is depends on the details of your deployment:
- If indexer clustering is enabled, the searches run on the cluster master.
- If search head clustering is enabled but not indexer clustering, the searches run on the search head captain.
- If your deployment does not use clustering, the searches run on a search head.
Instrumentation in the Splunk Enterprise file system
After the searches run, the data is packaged and sent to Splunk, as well as indexed to the _telemetry index. The _telemetry index is retained for two years by default and is limited in size to 256 MB.
The instrumentation app resides in the file system at $SPLUNK_HOME/etc/apps/splunk_instrumentation.
|
PREVIOUS Secure your configuration |
NEXT How Splunk Enterprise licensing works |
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10
Feedback submitted, thanks!