You can opt in to automatically share certain data about your license usage and deployment performance with Splunk Inc ("Splunk"). Splunk uses this data to make decisions about future product development, and in some cases to improve customer support.
Splunk apps
In addition to the data enumerated in this topic, certain apps might collect usage data. See the documentation for your app for details. The following apps collect additional data. Check back for updates.
- Splunk Add-on Builder: Share data in Splunk Add-on Builder
- Splunk App for AWS: Share data in the Splunk App for AWS
- Splunk Business Flow: Share data in Splunk Business Flow
- Splunk DB Connect: Share data in Splunk DB Connect
- Splunk Enterprise Security: Share data in Splunk Enterprise Security
- Splunk Industrial Asset Intelligence: Share data in Splunk Industrial Asset Intelligence
- Splunk IT Service Intelligence: Share data in Splunk IT Service Intelligence
- Splunk Machine Learning Toolkit: Share data in the Splunk Machine Learning Toolkit
- Splunk Metrics Workspace: Share data in the Splunk Metrics Workspace
- Splunk Security Essentials: Sending usage data to Splunk for Splunk Security Essentials
Summary of data sent to Splunk
The table below summarizes the data that your Splunk platform deployment can send to Splunk, Inc. Follow the links for more information. Splunk Enterprise 7.3.0 includes the Splunk Metrics Workspace app that can send the additional data described in Share data in the Splunk Metrics Workspace.
Type of data | Enabled by default? | How to opt in/out | How to view example data | What the data is used for |
---|---|---|---|---|
License usage data | On new installation, yes.
On upgrade, your previous selection is honored. |
Settings > Instrumentation | Settings > Instrumentation | Required by select license types, like true-up licenses. May be used by field teams to improve a customer's implementation. |
Anonymized usage data (not Web analytics) | No. | Settings > Instrumentation | Settings > Instrumentation | Used in aggregate to improve products and services. |
Web analytics portion of anonymized usage data | No. | Settings > Instrumentation | See What usage data is collected. | Used in aggregate to improve products and services. |
Support usage data (not Web analytics) | No. | Settings > Instrumentation | Settings > Instrumentation | Used by Support and Customer Success teams to troubleshoot and improve a customer's implementation. |
Web analytics portion of Support usage data | No. | Settings > Instrumentation | See What usage data is collected. | Used by Support and Customer Success teams to troubleshoot and improve a customer's implementation. |
Banner phone home | Yes. | See About update checker data. | See About update checker data. | Used by Splunk software to display a message in Splunk Web when a new version is available, and by Splunk to understand aggregate usage information. |
Usage data collected by Splunk apps | Consult the app documentation. | Consult the app documentation. | Consult the app documentation. | Consult the app documentation. |
Diagnostic files | No. | Sent to Support by request. See Generate a diag in the Troubleshooting Manual. | Run the diag command with appropriate flags, inspect the file it creates before you upload it to your case. | Used by Support to troubleshoot an open case. |
Opt in or out of sharing usage data
The first time you run Splunk Web on a search head as an admin or equivalent, you are presented with a modal window that has the following two selectable check boxes:
- Help make Splunk software better! I authorize collection of anonymized information about software usage so Splunk can improve its products and services.
- Get better Support! I authorize collection of information about software usage so Splunk can provide improved support and services for my deployment. Data will be linked to my account based on my installed licenses.
- Select or deselect the check boxes to indicate your data sharing preferences.
- Click either Skip or OK.
Option Description Skip Suppresses the modal permanently for the user who clicks Skip. Use this option to defer the decision to a different admin. Default opt-ins apply unless you or another Splunk admin make changes in Settings > Instrumentation. OK Confirm your choices and suppress the modal permanently for all users.
The check boxes are defaulted to send usage and support data. To opt-out of sending such information, please de-select the checkboxes before clicking OK. You can opt in or out at any time by navigating to Settings > Instrumentation.
To enable or disable collection of usage data, your user role must include the edit_telemetry_settings
capability.
License usage data is sent by default starting in Splunk Enterprise 7.0.0.
Opt out of sharing all usage data and prevent future admins from enabling sharing
The opt-in modal controls sharing for anonymized and Support data, but license usage data is sent by default for new installations starting in Splunk Enterprise 7.0.0.
To opt out from all collection of usage data and prevent other admins from enabling it in the future, do the following on one search head in each cluster and on each nonclustered search head:
- Click Settings > Instrumentation in Splunk Web.
- Click the gear icon next to Usage Data.
- Disable all options.
- Click Settings > Access controls > Roles.
- Remove the
edit_telemetry_settings
capability from the admin role. Users with this role no longer receive opt-in modals, nor can they access Settings > Instrumentation in Splunk Web.
If you want to disable collection of usage information across multiple deployments of the Splunk platform that are not centrally managed, block DNS resolution of e1345286.api.splkmobile.com
, the endpoint that is used to perform the data collection.
What usage data is collected
View non-session usage data
For license usage data, the anonymized usage data that is not browser session data, and the Support usage data that is not session data, you can view what data has been recently sent in Splunk Web.
- Navigate to Settings > Instrumentation.
- Click the category of data you wish to view in Search.
This log of data is available only after the first run of the collection. To inspect the type of data that gets sent before you opt in on your production environment, you can opt in on your sandbox environment.
For the usage data logs to be created and available, your search heads, indexers, and cluster master must be running Splunk Enterprise version 6.5.0 or later.
View session data
To view the remaining anonymized or Support usage data, the browser session data, use JavaScript logging in your browser. Look for network events sent to a URL containing splkmobile
. Events are triggered by actions such as navigating to a new page in Splunk Web.
The tables below describe the data collected if you opt in to both usage data programs and do not turn off update checker. The usage data is in JSON format tagged with a field named component
.
New for Splunk Enterprise 7.x
Starting in Splunk Enterprise 7.0.0, you have the option of sending Support data. This is the same data as the anonymized usage data, but if you opt to send Support data, Splunk can use the license GUID to identify usage data from a specific customer account.
Upon upgrade, you are presented with an opt-in modal advising you of additional data collection.
- No anonymized or Support usage data is collected (including the fields collected pre-6.6.0) until you confirm your selection, either in the opt-in modal or in Settings > Instrumentation.
- If you upgrade from Splunk Enterprise version 6.5.0 or later, then your previous License Usage selection is respected. If you are installing a new Splunk Enterprise instance or upgrading from Splunk Enterprise 6.4.x or earlier, License Usage data is sent by default. You can opt out in Settings > Instrumentation.
In addition, the following pieces of data are included starting with Splunk Enterprise version 7.0.0:
Topology information:
- license slaves
- indexer cluster members
- indexer cluster search heads
- distributed search peers
- search head cluster members
Index information:
- indexes per search peer
App information:
- apps installed on search heads and search peers
Types of data collected by Splunk Enterprise
Splunk Enterprise can collect the following types of data:
- Anonymized or Support usage data (including session data)
- License usage data
- Update checker data
Support usage data is the same as the anonymized usage data, but the license GUID is persisted when it reaches Splunk, Inc.
Note that additional data might be collected by certain apps. See app documentation for details.
Anonymized or Support usage data
Description | Components | Note |
---|---|---|
Active license group and subgroup, total license stack quota, license pool quota, license pool consumption, total license consumption, license stack type | licensing.stack
|
|
License IDs | licensing.stack
|
Sent for license usage reporting as well as anonymized and Support reporting, but persisted only for users opting in to license usage or Support reporting. |
Host name of an indexer, replication factor and search factor for indexer cluster | deployment.clustering.indexer
|
|
Indexer cluster member | deployment.clustering.member
|
Collected by a search running on the cluster master. |
Indexer cluster search head | deployment.clustering.searchhead
|
Collected by a search running on the cluster master. |
Number of hosts, number of Splunk software instances, OS/version, CPU architecture, Splunk software version, distribution of forwarding volume | deployment.forwarders
|
Collected for forwarders. |
Distributed search peers | deployment.distsearch.peer
|
Collected by a search running on a search head captain or, in the absence of a search head cluster, a search head. |
Indexes per search peer | deployment.index
|
Collected by a search running on a search head cluster captain or, in the absence of a search head cluster, a search head. |
License slaves | deployment.licensing.slave
|
Collected by a search running on the license master. |
GUID, host, number of cores by type (virtual/physical), CPU architecture, memory size, storage (partition) capacity, OS/version, Splunk version | deployment.node
|
For each indexer or search head. |
Core utilization, storage utilization, memory usage, indexing throughput, search latency | deployment.node performance.indexing performance.search
|
|
Search head cluster members | deployment.shclustering.member
|
Collected by a search running on the search head captain. |
Indexing volume, number of events, number of hosts, source type name | usage.indexing.sourcetype
|
|
Number of active users | usage.users.active
|
|
Number of searches of each type, distribution of concurrent searches | usage.search.type usage.search.concurrent
|
|
List of commands and corresponding counts for all searches run on the system in the span of 1 day. | usage.search.searchTelemetry
|
Aggregated on a set schedule from search job data collected in the introspection index. |
Apps installed on search head and search peers | deployment.app
|
Collected by a search running on a search head cluster captain or, in the absence of a search head cluster, a search head. |
App name, page name, locale, number of users, number of page loads | usage.app.page
|
Session data. |
deploymentID (identifier for deployment), eventID (identifier for this specific event), experienceID (identifier for this session), userID (hashed username), data.guid (GUID for instance serving the page) | app.session.session_start
|
Session data. Triggered when user is first authenticated. |
Page views | app.session.pageview
|
Session data. Triggered when user visits a new page. |
Adding data page interaction | app.session.page.interact
|
Tracks user page interactions within the adding data context. This includes any data sources searched for, which collection method is chosen, and what deployment type is selected. |
Page loads | app.session.page.load
|
Tracks loads and whether web serviced is supported. Triggered when a page is loaded. |
Dashboard characteristics | app.session.dashboard.pageview
|
Session data. Triggered when a dashboard is loaded. |
Pivot characteristics | app.session.pivot.load
|
Session data. Triggered when a pivot is loaded. |
Pivot changes | app.session.pivot.interact
|
Session data. Triggered when a change is made to a pivot. |
Search page interaction | app.session.search.interact
|
Session data. Triggered with interaction with search page. |
Hashed host and guid, authentication method (Splunk, LDAP, or SAML), mfa type (none, Duo, or RSA) | usage.authMethod.config
|
Collected by a search running on the cluster master and search head cluster captain. |
Alert actions and enabled status, feature thresholds and enabled status | usage.healthMonitor.report
|
Collected by a search running on the cluster master and search head cluster captain. |
Hashed host and guid, attribute configurations | usage.passwordPolicy.config
|
Collected by a search running on the cluster master and search head cluster captain. |
Global configuration, per index configuration, hashed index names (internal and external) | usage.smartStore.Config
|
Collected by a search running on the cluster master and search head cluster captain. |
Hashed host and guid, OS/version, server roles, wlm supported and enabled, pool configurations, rule configurations | usage.workloadManagement.report
|
Collected by a search running on the cluster master and search head cluster captain. |
License usage data
Description | Component(s) | Note |
---|---|---|
Active license group and subgroup, total license stack quota, total license pool consumption, license stack type, license pool quota, license pool consumption | licensing.stack
|
|
License IDs | licensing.stack
|
Sent for both reporting types, but persisted only for users opting in to license usage reporting. |
Data samples
Anonymized, Support, and license usage data is sent to Splunk as a JSON packet that includes a few pieces of information like component name and deployment ID, in addition to the data for the specific component. Here is an example of a complete JSON packet:
{ "component": "deployment.app", "data": { "name": "alert_logevent", "enabled": true, "version": "7.0.0", "host": "ip-10-222-17-130" }, "visibility": "anonymous,support", "timestamp": 1502845738, "date": "2017-08-15", "transactionID": "01AFCDA0-2857-423A-E60D-483007F38C1A", "executionID": "2A8037F2793D5C66F61F5EE1F294DC", "version": "2", "deploymentID": "9a003584-6711-5fdc-bba7-416de828023b" }
For ease of use, the following tables show examples of only the "data" field from the JSON event.
Anonymized or Support usage data
Click Expand to view examples of the data that is collected.
Component | Data category | Example |
---|---|---|
deployment.app
|
Apps installed on search head and peers | { "name": "alert_logevent", "enabled": true, "version": "7.0.0", "host": "ip-10-222-17-130" } |
deployment.clustering.indexer
|
Clustering configuration | { "host": "docteam-unix-5", "summaryReplication": true, "siteReplicationFactor": null, "enabled": true, "multiSite": false, "searchFactor": 2, "siteSearchFactor": null, "timezone": "-0700", "replicationFactor": 3 } |
deployment.clustering.member
|
Indexer cluster member | { "site": "default", "master": "ip-10-212-28-184", "member": { "status": "Up", "guid": "471A2F25-CD92-4250-AA17-4E49819B897A", "host": "ip-10-212-28-4" } } |
deployment.clustering.searchhead
|
Indexer cluster search head | { "site": "default", "master": "ip-10-222-27-244", "searchhead": { "status": "Connected", "guid": "1D4D422A-ADDE-437D-BA07-2B0C319D23BA", "host": "ip-10-212-55-3" } } |
deployment.distsearch.peer
|
Distributed search peers | { "peer": { "status": "Up", "guid": "472A5F22-CC92-4220-AA17-4E48919B897A", "host": "ip-10-222-21-4" }, "host": "ip-10-222-27-244" } |
deployment.forwarders
|
Forwarder architecture, forwarding volume | { "hosts": 168, "instances": 497, "architecture": "x86_64", "os": "Linux", "splunkVersion": "6.5.0", "type": "uf", "bytes": { "min": 389, "max": 2291497, "total": 189124803, "p10": 40960, "p20": 139264, "p30": 216064, "p40": 269312, "p50": 318157, "p60": 345088, "p70": 393216, "p80": 489472, "p90": 781312 } } |
deployment.index
|
Indexes per search peer | { "name": "_audit", "type": "events", "total": { "rawSizeGB": null, "maxTime": 1502845730.0, "events": 1, "maxDataSizeGB": 488.28, "currentDBSizeGB": 0.0, "minTime": 1502845719.0, "buckets": 0 }, "host": "ip-10-222-17-130", "buckets": { "thawed": { "events": 0, "sizeGB": 0.0, "count": 0 }, "warm": { "sizeGB": 0.0, "count": 0 }, "cold": { "events": 0, "sizeGB": 0.0, "count": 0 }, "coldCapacityGB": "unlimited", "hot": { "sizeGB": 0.0, "max": 3, "count": 0 }, "homeEventCount": 0, "homeCapacityGB": "unlimited" }, "app": "system" } } |
deployment.licensing.slave
|
License slaves | { "master": "9d5c20b4f7cc", "slave": { "pool": "auto_generated_pool_enterprise", "guid": "A5FD9178-2E76-4149-9FGF-55DCE35E38E7", "host": "9d5c20b4f7cc" } } |
deployment.node
|
Host architecture, utilization | { "guid": "123309CB-ABCD-4BC9-9B6A-185316600F23", "host": "docteam-unix-3", "os": "Linux", "osExt": "Linux", "osVersion": "3.10.0-123.el7.x86_64", "splunkVersion": "6.5.0", "cpu": { "coreCount": 2, "utilization": { "min": 0.01, "p10": 0.01, "p20": 0.01, "p30": 0.01, "p40": 0.01, "p50": 0.02, "p60": 0.02, "p70": 0.03, "p80": 0.03, "p90": 0.05, "max": 0.44 }, "virtualCoreCount": 2, "architecture": "x86_64" }, "memory": { "utilization": { "min": 0.26, "max": 0.34, "p10": 0.27, "p20": 0.28, "p30": 0.28, "p40": 0.28, "p50": 0.29, "p60": 0.29, "p70": 0.29, "p80": 0.3, "p90": 0.31 }, "capacity": 3977003401 }, "disk": { "fileSystem": "xfs", "capacity": 124014034944, "utilization": 0.12 } } |
depoyment.shclustering.member
|
{ "site": "default", "member": { "status": "Up", "guid": "290C48B1-50D3-48C9-AF86-14F43000CC5C", "host": "ip-10-222-19-223" }, "captain": "ip-10-222-19-253" } | |
licensing.stack
|
Licensing quota and consumption | { "type": "download-trial", "guid": "4F735357-F278-4AD2-BBAB-139A85A75DBB", "product": "enterprise", "name": "download-trial", "licenseIDs": [ "553A0D4F-3B7B-4AD5-B241-89B94386A07F" ], "quota": 524288000, "pools": [ { "quota": 524288000, "consumption": 304049405 } ], "consumption": 304049405, "subgroup": "Production", "host": "docteam-unix-9" } |
performance.indexing
|
Indexing throughput and volume | { "host": "docteam-unix-5", "thruput": { "min": 412, "max": 9225, "total": 42980219, "p10": 413, "p20": 413, "p30": 431, "p40": 450, "p50": 474, "p60": 488, "p70": 488, "p80": 488, "p90": 518 } } |
performance.search
|
Search runtime statistics | { "latency": { "min": 0.01, "max": 1.33, "p10": 0.02, "p20": 0.02, "p30": 0.05, "p40": 0.16, "p50": 0.17, "p60": 0.2, "p70": 0.26, "p80": 0.34, "p90": 0.8 } } |
app.session.dashboard.pageview
|
Dashboard characteristics, triggered when a dashboard is loaded. | { "dashboard": { "autoRun": false, "hideEdit": false, "numCustomCss": 0, "isVisible": true, "numCustomJs": 0, "hideFilters": false, "hideChrome": false, "hideAppBar": false, "hideFooter": false, "submitButton": false, "refresh": 0, "hideSplunkBar": false, "hideTitle": false, "isScheduled": false }, "numElements": 1, "numSearches": 1, "numPanels": 1, "elementTypeCounts": { "column": 1 }, "layoutType": "row-column-layout", "searchTypeCounts": { "inline": 1 }, "name": "test_dashboard", "numFormInputs": 0, "formInputTypeCounts": {}, "numPrebuiltPanels": 0, "app": "search" } } |
app.session.pivot.interact
|
Changes to pivots. Generated when a change to a pivot is made. | { "eventAction": "change", "eventLabel": "Pivot - Report Content", "numColumnSplits": 0, "reportProps": { "display.visualizations.charting.legend.placement": "none", "display.visualizations.type": "charting", "earliest": "0", "display.statistics.show": "1", "display.visualizations.charting.chart": "column", "display.visualizations.charting.axisLabelsX.majorLabelStyle.rotation": "-90", "display.visualizations.show": "1", "display.general.type": "visualizations" }, "numRowSplits": 1, "eventCategory": "PivotEditorReportContent", "app": "search", "page": "pivot", "numAggregations": 1, "numCustomFilters": 0, "eventValue": {}, "locale": "en-US", "context": "pivot" } |
app.session.pivot.load
|
{ "eventAction": "load", "eventLabel": "Pivot - Page", "numColumnSplits": 0, "reportProps": { "display.visualizations.charting.legend.placement": "none", "display.visualizations.type": "charting", "earliest": "0", "display.statistics.show": "1", "display.visualizations.charting.chart": "column", "display.visualizations.show": "1", "display.general.type": "visualizations" }, "numRowSplits": 1, "eventCategory": "PivotEditor", "app": "search", "page": "pivot", "numAggregations": 1, "numCustomFilters": 0, "locale": "en-US", "context": "pivot" } | |
app.session.page.load
|
Triggered when a new page loads. | "component":"app.session.page.load", "visibility":"anonymous,support", "timestamp":1530637605818, "userID":"890e662510aa0462112a4927b05dff6f90b093a9ba97884edc2473fe0ac461bf", "experienceID":"dd7136a3-2584-2e7f-16d8-50b47f0f3204", "deploymentID":"98dfc5ff-756c-5b01-960c-e4ac3a3ff303", "eventID":"b06d0493-a3b8-3cae-52ee-85a11303390e", "version":"3" |
app.session.search.interact
|
Triggered when a query string is run as a search. | | "component":"app.session.page.interact", "visibility":"anonymous,support", "timestamp":1530297674543, "userID":"890e662510aa0462112a4927b05dff6f90b093a9ba97884edc2473fe0ac461bf", "experienceID":"dd7136a3-2584-2e7f-16d8-50b47f0f3204", "deploymentID":"98dfc5ff-756c-5b01-960c-e4ac3a3ff303", "eventID":"bbc6244e-587d-17ee-f8a9-94a0f2744d66", "version":"3" |
app.session.pageview
|
{ "app": "launcher", "page": "home" } | |
app.session.session_start
|
{ "app": "launcher", "splunkVersion": "6.6.0", "os": "Ubuntu", "browser": "Firefox", "browserVersion": "38.0", "locale": "en-US", "device": "Linux x86_64", "osVersion": "not available", "page": "home", "guid": "2550FC44-64E5-43P5-AS44-6ABD84C91E42" } | |
usage.app.page
|
App page users and views | { "app": "search", "locale": "en-US", "occurrences": 1, "page": "datasets", "users": 1 } |
usage.authMethod.config
|
Authentication method | { "host": "e7d908b081d36d4bb0b41d4376214b5f2773af89", "guid": "4ABE998D-1629-43AD-8B1A-025EA77DA4B8", "authentication method": "Splunk", "mfa type": "none" } |
usage.healthMonitor.report
|
Health report manager | { "alert":{ "alert_action:email":{ "disabled":"0", "action/ action.to/ action.url/ action.integration_url_override":"empty" }, "alert_action:webhook":{ "disabled":"0", "action/ action.to/ action.url/ action.integration_url_override":"empty" }, "health_reporter":{ "disabled":"0", "action/ action.to/ action.url/ action.integration_url_override":"email" } }, "feature:batchreader":{ "threshold":{ "indicator:data_out_rate:red":2, "indicator:data_out_rate:yellow":1 }, "enabled":"1" }, "feature:buckets":{ "threshold":{ "indicator:buckets_created_last_60m:red":60, "indicator:percent_small_buckets_created_last_24h:red":50, "indicator:buckets_created_last_60m:yellow":40, "indicator:percent_small_buckets_created_last_24h:yellow":30 }, "enabled":"1" }, "feature:cluster_bundles":{ "threshold":{ "indicator:cluster_bundles:yellow":1 }, "enabled":"1" }, "feature:data_durability":{ "threshold":{ "indicator:cluster_replication_factor:red":1, "indicator:cluster_search_factor:red":1 }, "enabled":"1" }, "feature:data_searchable":{ "threshold":{ "indicator:data_searchable:red":1 }, "enabled":"1" }, "feature:ddaa_archived_buckets":{ "threshold":{ "indicator:archived_buckets_failed_last_24h:red":80, "indicator:archived_buckets_failed_last_24h:yellow":40 }, "enabled":"1" }, "feature:disk_space":{ "threshold":{ "indicator:disk_space_remaining_multiple_minfreespace:red":1, "indicator:disk_space_remaining_multiple_minfreespace:yellow":2 }, "enabled":"1" }, "feature:indexers":{ "threshold":{ "indicator:detention:red":1, "indicator:missing_peers:red":1, "indicator:detention:yellow":1, "indicator:missing_peers:yellow":1 }, "enabled":"1" }, "feature:indexing_ready":{ "threshold":{ "indicator:indexing_ready:red":1 }, "enabled":"1" }, "feature:master_connectivity":{ "threshold":{ "indicator:master_connectivity:red":1 }, "enabled":"1" }, "feature:replication_failures":{ "threshold":{ "indicator:replication_failures:red":10, "indicator:replication_failures:yellow":5 }, "enabled":"1" }, "feature:s2s_autolb":{ "threshold":{ "indicator:s2s_connections:red":70, "indicator:s2s_connections:yellow":20 }, "enabled":"1" }, "feature:searchheadconnectivity":{ "threshold":{ "indicator:master_connectivity:red":1, "indicator:master_version_compatibility:yellow":1 }, "enabled":"1" }, "feature:shc_captain_common_baseline":{ "threshold":{ "indicator:common_baseline:red":1 }, "enabled":"1" }, "feature:shc_captain_connection":{ "threshold":{ "indicator:captain_connection:red":1, "indicator:captain_existence:red":1 }, "enabled":"1" }, "feature:shc_captain_election_overview":{ "threshold":{ "indicator:dynamic_captain_quorum:yellow":1 }, "enabled":"1" }, "feature:shc_members_overview":{ "threshold":{ "indicator:detention:red":1, "indicator:status:red":1, "indicator:detention:yellow":1, "indicator:replication_factor:yellow":1, "indicator:status:yellow":1 }, "enabled":"1" }, "feature:shc_snapshot_creation":{ "threshold":{ "indicator:snapshot_creation:red":2, "indicator:snapshot_creation:yellow":1 }, "enabled":"1" }, "feature:slave_state":{ "threshold":{ "indicator:slave_state:red":1, "indicator:slave_state:yellow":1 }, "enabled":"1" }, "feature:slave_version":{ "threshold":{ "indicator:slave_version:red":1 }, "enabled":"1" }, "feature:splunkoptimize_processes":{ "threshold":{ "indicator:concurrent_optimize_processes_percent:yellow":100 }, "enabled":"1" }, "feature:tailreader":{ "threshold":{ "indicator:data_out_rate:red":2, "indicator:data_out_rate:yellow":1 }, "enabled":"1" } |
usage.indexing.sourcetype
|
Indexing by source type | { "name": "vendor_sales", "bytes": 2026348, "events": 30245, "hosts:" 1 } |
usage.lookups.lookupDefinitions
|
Lookup definition metadata. | { [-] lookups: [ [-] { [-] _timediff: is_temporal: 0 name: 96117ed21e74f16d452027ed8e16c5d32fddd229 sharing: system size: type: external } { [-] _timediff: is_temporal: 0 name: 256d0fae9448acc55cd2e5cbabe7dbec576158c2 sharing: global size: 18053 type: file } { [-] _timediff: is_temporal: 0 name: 88767984d9dc6308309ffde5dc3591fa3865e7f2 sharing: global size: 832 type: file } { [-] _timediff: is_temporal: 0 name: 1b0131dbc851786586e269a2ba8b2f08bbd6834f sharing: global size: type: geo } { [-] _timediff: is_temporal: 0 name: 6d47b91d0c0753e9332ec2c0f8c956151c9b1e16 sharing: global size: type: geo } ] } |
usage.passwordPolicy.config
|
Password policy management | { "host": "e7d908b081d36d4bb0b41d4376214b5f2773af89", "guid": "4ABE998D-1629-43AD-8B1A-025EA77DA4B8", "constant login time":"0.000", "enable password history":"false", "expiration alert in days":"15", "days until password expires":"90", "enable password expiration":"false", "force existing users to change weak passwords":"false", "failed login attempts":"5", "lockout duration in minutes":"30", "lockout threshold in minutes":"5", "enable lockout users":"true", "minimum number of digits":"0", "minimum number of characters":"8", "minimum number of lowercase letters":"0", "minimum number of special characters":"0", "minimum number of uppercase letters":"0", "password history count":"24", "enable verbose login fail message":"true" } |
usage.kvstore
|
Metrics and performance data about KV store. | {{ [-] usage.flushAverageMs: 5.3538461538461535 usage.instanceType: primary usage.memRamMb: 0 usage.memVirtualMb: 0 usage.oplogEndTime: 1569301264 usage.oplogStartTime: 1569222045 usage.oplogTimeRange: 79219 usage.readLatencyToUpTime: 0.000153653421585191 usage.readLatencyUsPerOp: 0.02158053280617528 usage.storageEngine: mmapv1 usage.upTime: 3956 usage.version: 3.6.12-splunk usage.writeLatencyToUpTime: 0.000153653421585191 usage.writeLatencyUsPerOp: 0.00048009036995199094 }} |
usage.search.concurrent
|
Search concurrency | { "host": "docteam-unix-5" "searches": { "min": 1, "max": 11, "p10": 1, "p20": 1, "p30": 1, "p40": 1, "p50": 1, "p60": 1, "p70": 1, "p80": 2, "p90": 3 } } |
usage.search.searchTelemetry
|
Searches by name and count | { "commands":[ { "name":"addinfo", "count":4519 }, { "name":"append", "count":4 }, { "name":"bin", "count":206 }, { "name":"chart", "count":4 }, { "name":"fields", "count":5951 }, { "name":"fillnull", "count":2 }, { "name":"sort", "count":21 }, { "name":"tstats", "count":400 }, { "name":"typer", "count":4265 }, { "name":"where", "count":129 } } |
usage.search.report_acceleration
|
Report acceleration metrics | { "existing_report_accelerations": 2, "access_count_of_existing_report_accelerations": 10 } |
usage.search.type
|
Searches by type | { "ad-hoc": 1428, "scheduled": 225 } |
usage.smartStore.Config
|
SmartStore | { "global config":{ "cachemanager":{ "eviction_padding":"5120", "max_cache_size":"0", "hotlist_recency_secs":"86400", "hotlist_bloom_filter_recency_hours":"360" }, "clustering":{ "mode":"disabled" }, "diskUsage":{ "minFreeSpace":"5000" } }, "total storage capacity":{ "0":{ "free":47526.223, "available":47526.223, "capacity":58874.0, "fs_type":"xfs" } }, "per index config":{ "internal_60e95704b4f8c24e3e3232b601e79c36a7366718":{ "maxGlobalDataSizeMB":0, "frozenTimePeriodInSecs":188697600, "hotlist_bloom_filter_recency_hours":"none", "hotlist_recency_secs":"none", "maxHotSpanSecs":7776000 }, "internal_f1b1f1f40216ee2e2b5a526eec43c8f71cccef5d":{ "maxGlobalDataSizeMB":0, "frozenTimePeriodInSecs":2592000, "hotlist_bloom_filter_recency_hours":"none", "hotlist_recency_secs":"none", "maxHotSpanSecs":432000 }, "internal_302a11446cd560395417c9e2d2177a7a0fa8d74d":{ "maxGlobalDataSizeMB":0, "frozenTimePeriodInSecs":1209600, "hotlist_bloom_filter_recency_hours":"none", "hotlist_recency_secs":"none", "maxHotSpanSecs":7776000 }, "external_66f79d8a6327c82c9033e6d65ff03322a3766c87":{ "maxGlobalDataSizeMB":0, "frozenTimePeriodInSecs":604800, "hotlist_bloom_filter_recency_hours":"none", "hotlist_recency_secs":"none", "maxHotSpanSecs":7776000 }, "external_b28b7af69320201d1cf206ebf28373980add1451":{ "maxGlobalDataSizeMB":0, "frozenTimePeriodInSecs":188697600, "hotlist_bloom_filter_recency_hours":"none", "hotlist_recency_secs":"none", "maxHotSpanSecs":7776000 }, "external_0b68bd367c0c1f2f2b9879ed5f5ffa59df64c383":{ "maxGlobalDataSizeMB":0, "frozenTimePeriodInSecs":188697600, "hotlist_bloom_filter_recency_hours":"none", "hotlist_recency_secs":"none", "maxHotSpanSecs":7776000 }, }, "list of indexes":{ "non-SmartStore enabled":"60e95704b4f8c24e3e3232b601e79c36a7366718,f1b1f1f40216ee2e2b5a526eec43c8f71cccef5d,302a11446cd560395417c9e2d2177a7a0fa8d74d,66f79d8a6327c82c9033e6d65ff03322a3766c87,b28b7af69320201d1cf206ebf28373980add1451,0b68bd367c0c1f2f2b9879ed5f5ffa59df64c383" } |
usage.workloadManagement.report
|
Workload management | { "host": "e7d908b081d36d4bb0b41d4376214b5f2773af89", "guid": "4ABE998D-1629-43AD-8B1A-025EA77DA4B8", "wlm supported": "1", "os": "Linux", "osVersion": "3.10.0-862.9.1.el7.x86_64", "wlm enabled": "1", "server roles": "indexer, license_master, kv_store, shc_captain", "pools":{ "total count":"3", "ingest pool count":"1", "search pool count":"2", "aa":{"cpu weight":"80", "memory weight":"50"}, "bb":{"cpu weight":"100", "memory weight":"100"}, "dd":{"cpu weight":"50", "memory weight":"50"} }, "rules":{ "total count":"0" } |
License usage data
Click Expand to view examples of the data that is collected.
Component | Data category | Example |
---|---|---|
licensing.stack
|
Licensing quota and consumption | { "type": "download-trial", "guid": "4F735357-F278-4AD2-BBAB-139A85A75DBB", "product": "enterprise", "name": "download-trial", "licenseIDs": [ "553A0D4F-3B7B-4AD5-B241-89B94386A07F" ], "quota": 524288000, "pools": [ { "quota": 524288000, "consumption": 304049405 } ], "consumption": 304049405, "subgroup": "Production", "host": "docteam-unix-9" } |
What data is not collected
The following kinds of data are not collected:
- Unhashed usernames or passwords.
- Indexed data that you ingest into your Splunk platform instance.
How usage data is handled
When you enable instrumentation, usage data is transported directly to Splunk through its MINT infrastructure. Data received is securely stored within on-premises servers at Splunk with restricted access.
Anonymized usage data is aggregated, and is used by Splunk to analyze usage patterns so that Splunk can improve its products and benefit customers. License IDs collected are used only to verify that data is received from a valid Splunk product and persisted only for users opting into license usage reporting. These license IDs help Splunk analyze how different Splunk products are being deployed across the population of users and are not attached to any anonymized usage data.
Support usage data is used by Support and Customer Success teams to troubleshoot and improve a customer's implementation. Access to Support usage data is restricted further than anonymized usage data.
See the Splunk Privacy Policy for more information.
Why send license usage data
Certain license programs require that you report your license usage. The easiest way to do this is to automatically send this information to Splunk.
If you do not enable automatic license data sharing, you can send this data manually. To send usage data manually:
- On a search head, log into Splunk Web.
- Select Settings > Instrumentation.
- Click Export.
- Select a date range and data type.
- Click Send or Export to send data to Splunk or export data to your local machine.
Feature footprint
Anonymized, Support, and license usage data is summarized and sent once per day, starting at 3:05 a.m.
Session data and update checker data is sent from your browser as the events are generated. The performance implications are negligible.
About searches
If you opt in to anonymized, Support, or license usage data reporting, a few instances in your Splunk Enterprise deployment collect data through scheduled searches. Most of the searches run in sequence, starting at 3:05 a.m. on the node that runs the searches. All searches are triggered with a scripted input. See Configure the priority of scheduled reports.
Which instance runs the searches and sends data to Splunk
One primary instance in your deployment runs the distributed searches to collect most of the usage data. This primary instance is also responsible for sending the data to Splunk. Which instance acts as the primary instance depends on the details of your deployment:
- If indexer clustering is enabled, the cluster master is the primary instance. If you have more than one indexer cluster, each cluster master is a primary instance.
- If search head clustering is enabled but not indexer clustering, each search head captain is a primary instance.
- If your deployment does not use clustering, the searches run on a search head.
If you opt out of instrumentation, the searches on this primary instance do not run.
Additional instances in your deployment run a smaller number of searches, depending on colocation details. See Anonymized or Support usage data. If you opt into instrumentation, the data from these searches is collected by the primary node and sent to Splunk. If you opt out, these searches still run, but no data is sent.
In order for the primary instance in your deployment to send data to Splunk, it must be connected to the internet with no firewall rules or proxy server configurations that prevent outbound traffic to https://quickdraw.splunk.com/telemetry/destination
or https://*.api.splkmobile.com
. If necessary, whitelist these URLs for outbound traffic.
Instrumentation in the Splunk Enterprise file system
After the searches run, the data is packaged and sent to Splunk, as well as indexed to the _telemetry
index. The _telemetry
index is retained for two years by default and is limited in size to 256 MB.
The instrumentation app resides in the file system at $SPLUNK_HOME/etc/apps/splunk_instrumentation
.
Schedule instrumentation collection
If all instances in your deployment are running Splunk Enterprise version 7.1.0 or later, you can schedule instrumentation to run starting at any hour of the day, on a daily or a weekly schedule.
Changing the instrumentation collection schedule has trade-offs. Scheduling the collection to run weekly instead of daily might decrease the total search load for the week. A weekly collection takes longer than a daily collection, because it gathers data from all seven days. If you choose weekly collection, set it for a day and time when you expect the search load to be low.
The collection process in a deployment begins at the top of the hour, for example, at 3:00 A.M. The process runs a few searches in sequence on several instances in your deployment. Depending on the size of your deployment and whether you run instrumentation daily or weekly, it can take a few minutes before the final searches run on the primary instance to package and send the data to Splunk. See Which instance runs the searches.
If you opt in to instrumentation, the collection process begins daily at 3:00 A.M by default.
Change the collection schedule using Splunk Web
- On a search head, in Splunk Web, navigate to Settings > Instrumentation.
- Next to Usage Data, click the gear icon.
- Click Edit usage data schedule.
- Select a frequency, day, and time.
- Click Save.
You do not need to restart.
Change the collection schedule using configuration files
You can change the collection schedule by editing the telemetry.conf
file. For guidelines on editing this file, see telemetry.conf.spec.
- At the command line on any search head, navigate to
$SPLUNK_HOME/etc/apps/splunk_instrumentation/local/
. - Create or edit
telemetry.conf
. - Edit the values for any of
scheduledHour
,scheduledDay
, andreportStartDate
according to the guidelines intelemetry.conf.spec
.
Secure your configuration | About update checker data |
This documentation applies to the following versions of Splunk® Enterprise: 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9
Feedback submitted, thanks!