Splunk® Enterprise

Admin Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

About the Splunk Enterprise license usage report view

If you want to view and monitor your license capacity usage and indexing volume over time, use the license usage reports. The reports are available on both the license master and the monitoring console roles. To learn about licenses, and license stacks and pools, see Allocate license volume.

Access the license usage report view

On the license master:

  1. Navigate to Settings > Licensing.
  2. Select Usage report.

On the monitoring console:

  1. Navigate to Settings > Monitoring Console.
  2. Navigate to Indexing > License Usage.
  3. Select License Usage.


License Usage - Today

The panels in this report show the status of license usage and the warnings for the current day. The panels include:

Panel name Description
Today's license usage (GB) Today's license usage and the total daily license quota across all pools.
Today's license usage per pool Today's license usage and the daily license quota for each pool.
Today's percentage of daily license quota used per pool The percentage of today's license quota used by each pool. The percentage is displayed on a logarithmic scale.
Pool usage warnings Displays any warnings that a pool has received in the past 30 days, or since the last license reset key was applied. See "About license violations".
Slave usage warnings The pool membership, number of warnings, and violations recorded for each license slave.

License Usage - Previous 30 Days

The panels in this report show the historical license usage and the warnings. The report uses data collected from the license_usage.log, message type=RolloverSummary. These represent the daily totals recorded for all peer or slave nodes.

If the license master is down during the time period that represents its local midnight, it will not generate a RolloverSummary event for that day, and you will not see that day's data in these panels.

The panels include:

Panel name Split by Description
Daily License Usage Yes: pool, indexer, source type, host, source, index. The total daily license usage over time. Use the split-by option to sort.
Percentage of Daily License Quota Used Yes: pool, indexer, source type, host, source, index. The percentage of the daily license quota used over time. Use the split-by option to sort.
Average and Peak Daily Volume Yes: pool, indexer, source type, host, source, index. The average and peak license usage over time. Use the split-by option to sort.

The visualizations in these panels limit the number of values plotted for each field that you can split by host, source, source type, index, indexer, or pool. If you have more than 10 distinct values for any of these fields, the values after the 10th are labeled "Other."

Improve performance by accelerating reports

By default, generating a historical report using a split-by field with many values will take some time to run. You can accelerate the report If you plan to run it regularly.

Enable report acceleration on the instance where you plan to view the licensing report: the license master or the monitoring console.

When you use the split by option for source type, host, source, or index; you'll be prompted to turn on report acceleration. You can view the options and schedule for accelerating licensing searches in Settings > Searches, Reports, and Alerts > License Usage Data Cube. Report acceleration can take up to 10 minutes to start after you select it for the first time. After the historical data has been summarized, the data is kept current using a scheduled report. See Accelerate reports in the Reporting Manual.

Squashing fields

Every license slave periodically reports the stats for data indexed by source, source type, host, and index to the license master. If the number of distinct tuples (host, source, sourcetype, index) grows beyond a configurable threshold, the host and source values are automatically squashed. This is done to lower memory usage and prevent a flood of log events. The license usage report emits a warning message when squashing occurs. Because of squashing on the host and source fields, only the split by source type and index choices offer full reporting.

The squashing threshold is configurable. Increasing the value increases memory usage. See the squash_threshold setting in server.conf.

To view more granular information without squashing, search metrics.log for per_host_thruput.

Identify metrics data in your license usage report

You can identify metrics data by selecting License Usage - Previous 30 Days, and split by index.

Set up an alert

You can turn any of the license usage report view panels into an alert. For example, say you want to set up an alert for when license usage reaches 80% of the quota.

  1. Go to the Today's percentage of daily license usage quota used panel.
  2. Click "Open in search" at the bottom left of a panel.
  3. Append | where '% used' > 80
  4. Select Save as > Alert and follow the alerting wizard.

Splunk Enterprise comes with several preconfigured alerts that you can enable. See Enable and configure platform alerts in Monitoring Splunk Enterprise.

Last modified on 06 November, 2020
PREVIOUS
About license violations
  NEXT
Troubleshoot the license usage report view

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters