About the Splunk Enterprise license usage report view
If you want to view and monitor your license capacity usage and indexing volume over time, use the license usage reports. The reports are available on both the license master and the monitoring console roles. To learn about licenses, and license stacks and pools, see Allocate license volume.
Access the license usage report view
On the license master:
- Navigate to Settings > Licensing.
- Select Usage report.
On the monitoring console:
- Navigate to Settings > Monitoring Console.
- Navigate to Indexing > License Usage.
- Select License Usage.
If you use infrastructure licensing, use the Resource Usage: CPU Usage dashboards in the Monitoring Console to check your vCPU counts for the search head and indexer roles. See Resource Usage: CPU Usage in the Monitoring Splunk Enterprise manual.
License Usage - Today
The panels in this report show the status of license usage and the warnings for the current day. The panels include:
|Today's license usage (GB)||Today's license usage and the total daily license quota across all pools.|
|Today's license usage per pool||Today's license usage and the daily license quota for each pool.|
|Today's percentage of daily license quota used per pool||The percentage of today's license quota used by each pool. The percentage is displayed on a logarithmic scale.|
|Pool usage warnings||Displays any warnings that a pool has received in the past 30 days, or since the last license reset key was applied. See "About license violations".|
|Slave usage warnings||The pool membership, number of warnings, and violations recorded for each license slave.|
License Usage - Previous 30 Days
The panels in this report show the historical license usage and the warnings. The report uses data collected from the
type=RolloverSummary. These represent the daily totals recorded for all peer or slave nodes.
If the license master is down during the time period that represents its local midnight, it will not generate a RolloverSummary event for that day, and you will not see that day's data in these panels.
The License Usage report will change to "Previous 60 Days" if your Splunk Enterprise license stack is less than 100GB and is subject to conditional license enforcement.
The panels include:
|Panel name||Split by||Description|
|Daily License Usage||Yes: pool, indexer, source type, host, source, index.||The total daily license usage over time. Use the split-by option to sort.|
|Percentage of Daily License Quota Used||Yes: pool, indexer, source type, host, source, index.||The percentage of the daily license quota used over time. Use the split-by option to sort.|
|Average and Peak Daily Volume||Yes: pool, indexer, source type, host, source, index.||The average and peak license usage over time. Use the split-by option to sort.|
The visualizations in these panels limit the number of values plotted for each field that you can split by host, source, source type, index, indexer, or pool. If you have more than 10 distinct values for any of these fields, the values after the 10th are labeled "Other."
Improve performance by accelerating reports
By default, generating a historical report using a split-by field with many values will take some time to run. You can accelerate the report If you plan to run it regularly.
Enable report acceleration on the instance where you plan to view the licensing report: the license master or the monitoring console.
When you use the split by option for source type, host, source, or index; you'll be prompted to turn on report acceleration. You can view the options and schedule for accelerating licensing searches in Settings > Searches, Reports, and Alerts > License Usage Data Cube. Report acceleration can take up to 10 minutes to start after you select it for the first time. After the historical data has been summarized, the data is kept current using a scheduled report. See Accelerate reports in the Reporting Manual.
Every license slave periodically reports the stats for data indexed by source, source type, host, and index to the license master. If the number of distinct tuples (host, source, sourcetype, index) grows beyond a configurable threshold, the host and source values are automatically squashed. This is done to lower memory usage and prevent a flood of log events. The license usage report emits a warning message when squashing occurs. Because of squashing on the host and source fields, only the split by source type and index choices offer full reporting.
The squashing threshold is configurable. Increasing the value increases memory usage. See the
squash_threshold setting in server.conf.
To view more granular information without squashing, search metrics.log for
Identify metrics data in your license usage report
You can identify metrics data by selecting License Usage - Previous 30 Days, and split by index.
Set up an alert
You can turn any of the license usage report view panels into an alert. For example, say you want to set up an alert for when license usage reaches 80% of the quota.
- Go to the Today's percentage of daily license usage quota used panel.
- Click "Open in search" at the bottom left of a panel.
| where '% used' > 80
- Select Save as > Alert and follow the alerting wizard.
Splunk Enterprise comes with several preconfigured alerts that you can enable. See Enable and configure platform alerts in Monitoring Splunk Enterprise.
About license violations
Troubleshoot the license usage report view
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11
Feedback submitted, thanks!