Splunk® Enterprise

Admin Manual

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

About the Splunk Enterprise license usage report view

When you want to view and monitor your license capacity usage and indexing volume over time, use the license usage reports. These reports are available on both the license manager and the monitoring console roles. To learn about license allocation, and license stacks and pools, see Allocate license volume.

Access the license usage report view

On the license manager:

  1. Navigate to Settings > Licensing.
  2. Select Usage report.

On the monitoring console:

  1. Navigate to Settings > Monitoring Console.
  2. Navigate to Indexing > License Usage.
  3. Select License Usage.

If you use infrastructure licensing, use the Resource Usage: CPU Usage dashboards in the Monitoring Console to check your vCPU counts for the search head and indexer roles. See Resource Usage: CPU Usage in the Monitoring Splunk Enterprise manual.

License Usage - Today

The panels in this report show the status of your license usage, and any warnings for the current day. The panels include:

Panel name Description
Today's license usage (GB) Today's license usage and the total daily license quota across all pools.
Today's license usage per pool Today's license usage and the daily license quota for each pool.
Today's percentage of daily license quota used per pool The percentage of today's license quota used by each pool. The percentage is displayed on a logarithmic scale.
Pool usage warnings Displays any warnings that a pool has received in the past 30 days, or since the last license reset key was applied. See "About license violations".
Peer usage warnings The pool membership, the number of warnings, and any violations recorded for each license peer.

License Usage - Previous 30 Days

The panels in this report show the historical license usage, and any warnings. The report uses data collected from the license_usage.log, message type=RolloverSummary. These represent the daily totals recorded for all peer nodes.

If the license manager is down or inaccessible during the time period that represents midnight using the system clock, the license manager will not generate a RolloverSummary event for that day, and you will not see that day's data in these panels.

The License Usage report will change to "Previous 60 Days" if your Splunk Enterprise license stack is less than 100GB, and is subject to conditional license enforcement.

The panels include:

Panel name Split by Description
Daily License Usage Yes: pool, indexer, source type, host, source, index. The total daily license usage over time. Use the split-by option to sort.
Percentage of Daily License Quota Used Yes: pool, indexer, source type, host, source, index. The percentage of the daily license quota used over time. Use the split-by option to sort.
Average and Peak Daily Volume Yes: pool, indexer, source type, host, source, index. The average and peak license usage over time. Use the split-by option to sort.

The visualizations in these panels limit the number of values plotted for each field that you can split by host, source, source type, index, indexer, or pool. If you have more than 10 distinct values for any of these fields, the values after the 10th are labeled "Other."

Improve performance by accelerating reports

By default, generating a historical report using a split-by field with many values will take time to run. You can accelerate the report If you plan to run it regularly.

Enable report acceleration only on the instance where you plan to view the licensing report, such as the license manager or the monitoring console.

When you use the split by option for source type, host, source, or index; you'll be prompted to turn on report acceleration. You can view the options and schedule for accelerating licensing searches in Settings > Searches, Reports, and Alerts > License Usage Data Cube. Report acceleration can take up to 10 minutes to start after you select it for the first time. After the historical data has been summarized, the data is kept current using a scheduled report. See Accelerate reports in the Reporting Manual.

Squashing fields

Each license peer periodically reports the stats for data indexed by source, source type, host, and index to the license manager. If the number of distinct tuples (host, source, sourcetype, index) grows beyond a configurable threshold, the host and source values are automatically squashed. This is done to lower memory usage, and prevent a flood of log events. The license usage report emits a warning message when squashing occurs. Because of this squashing of the host and source fields, only the split by source type and index choices offer full reporting.

The squashing threshold is configurable. Increasing the value also increases memory usage. See the squash_threshold setting in server.conf.

To view more granular information without squashing, search metrics.log for per_host_thruput.

Identify metrics data in your license usage report

You can identify metrics data by selecting License Usage - Previous 30 Days, and split by index.

Set up an alert

You can turn any of the license usage report view panels into an alert. For example, if you want to set up an alert for when license usage reaches 80% of the quota:

  1. Go to the Today's percentage of daily license usage quota used panel.
  2. Click "Open in search" at the bottom left of a panel.
  3. Append a new percentile value | where '% used' > 80
  4. Select Save as > Alert and follow the alerting wizard.

Splunk Enterprise comes with several preconfigured alerts that you can enable. See Enable and configure platform alerts in Monitoring Splunk Enterprise.

Last modified on 28 September, 2021
About license violations   Troubleshoot the license usage report view

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters