Splunk® Enterprise

Admin Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

About the Splunk Enterprise license usage report view

The license usage report view provides information on license capacity and indexing volume. You can see daily indexing volume, any license warnings, and a view of the last 30 days of license usage.

Access the license usage report view

On the license master, access the dashboard for the license usage report view:

  1. Navigate to Settings > Licensing.
  2. Click Usage report.

The dashboard includes these tabs:

  • Today
  • Previous 30 Days

Today tab

The license usage report view provides several panels under the Today tab. These panels show the status of license usage and the warnings for the current day. The license day ends at midnight according to the license master's clock

Today's license usage panel

This panel shows today's license usage and the total daily license quota across all pools.

Today's license usage per pool panel

This panel shows today's license usage and the daily license quota for each pool.

Today's percentage of daily license quota used per pool panel

This panel shows what percentage of today's license quota has been used by each pool. The percentage is displayed on a logarithmic scale.

Pool usage warnings panel

This panel shows the warnings, both soft and hard, that each pool has received in the past 30 days or since the last license reset key was applied. See "About license violations".

Slave usage warnings panel

For each license slave, this panel shows the number of warnings, its pool membership, and whether the slave is in violation.

Previous 30 Days tab

The Previous 30 Days tab contains several panels and drop-down options.

The visualizations in these panels limit the number of values plotted for each field that you can split by host, source, source type, index, indexer, or pool. If you have more than 10 distinct values for any of these fields, the values after the 10th are labeled "Other."

These panels all use data collected from license_usage.log, type=RolloverSummary (daily totals). If the license master is down at its local midnight, it will not generate a RolloverSummary event for that day, and you will not see that day's data in these panels.

Split-by: no split, indexer, pool

These three split-by options are self-explanatory.

Split-by: source, source type, host, index

These split-by fields require explanation for how they employ report acceleration and squashing.

Improve performance by accelerating reports

Splitting by source, source type, and host uses license_usage.log type=Usage, which provides real-time usage statistics at one-minute intervals. Without acceleration, the search can be very slow, because it searches through 30 days of data, and that data gets generated at the rate of one event per minute.To improve performance, accelerate the report that powers these split-by options.

Acceleration for this report is disabled by default. To accelerate the report, click the link that shows up in the info message when you select one of these split-by values. You can also find the workflow for accelerating in Settings > Searches and reports > License usage data cube. See Accelerate reports in the Reporting Manual.

Report acceleration can take up to 10 minutes to start after you select it for the first time. It then takes additional time to build the acceleration summary, from a few minutes to an hour depending on the amount of data being summarized. After the first acceleration run, subsequent reports build on what's already there, keeping the report up-to-date.

Enable report acceleration only on your license master.

Configure how frequently the acceleration runs in savedsearches.conf, with auto_summarize. The default is every 10 minutes. Keep the interval frequent, to make the workload small and steady. The default uses a cron job set for every 10 minutes at the 3 minute mark. This is configurable in auto_summarize.cron_schedule.

Squashing

Every license slave periodically reports to the license master its stats for the data indexed, broken down by source, source type, host, and index. If the number of distinct tuples (host, source, sourcetype, index) grows beyond a configurable threshold, Splunk software squashes the host and source values and only reports a breakdown by sourcetype and index. This is done to prevent high memory usage and an unwieldy number of license_usage.log lines.

Because of squashing on the other fields, only the split-by sourcetype and index guarantee full reporting. Split-by source and host do not guarantee full reporting if those two fields represent many distinct values. The report shows the entire quantity indexed, but not the names. Therefore, you don't know who consumed a particular amount, but you still know what the amount consumed is.

Squashing is configurable in server.conf, in the [license] stanza, with the squash_threshold setting. Increasing the value puts a load on memory usage, so consult Splunk Support before changing the setting.

The license usage report emits a warning message when squashing occurs.

To view more granular information without squashing, search metrics.log for per_host_thruput.

Top 5 by average daily volume

The Top 5 panel shows average and maximum daily usage of the top five values for whatever split-by field you choose from the Split By menu.

The panel selects the top five average, not peak, values to display. So, for example, say you have more than five source types. Source type F is normally much smaller than the others but has a brief peak. Source type F's max daily usage is thus very high, but its average usage might still be low (since it has all those days of very low usage to bring down its average). Since this panel selects the top five values by average, source type F might not show up in this view.

Identify metrics data in your license usage report

You can identify metrics data by clicking the Previous 30 days tab and sorting by index.

Set up an alert

You can turn any of the license usage report view panels into an alert. For example, say you want to set up an alert for when license usage reaches 80% of the quota.

  1. Go to the Today's percentage of daily license usage quota used panel.
  2. Click "Open in search" at the bottom left of a panel.
  3. Append | where '% used' > 80
  4. Select Save as > Alert and follow the alerting wizard.

Splunk Enterprise comes with several preconfigured alerts that you can enable. See Enable and configure platform alerts in Monitoring Splunk Enterprise.

Last modified on 20 May, 2020
PREVIOUS
About license violations
  NEXT
Troubleshoot the license usage report view

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters