Splunk® Enterprise

Monitor and Troubleshoot ingestion

Preview features described in this document are provided by Splunk to you "as is" without any warranties, maintenance and support, or service-level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. These documents are not yet publicly available and we ask that you keep such information confidential.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Data squashing impact on data monitoring

When data exceeds a certain threshold limit defined in server.conf, Splunk squashes host and source fields in license usage logs. This decreases the memory usage and reduces the total number of events and load on the indexers and licensing manager.

Splunk automatically "squashes" fields in license usage logs when data exceeds the threshold limit in server.conf.

Squashing only impacts host and source fields. It has no impact on metrics for index and source type.

Metrics summaries will include a message similar to the following if an individual span contains any squashed data:

"Squashing has occurred during the Current time selected. You may see inaccurate reporting of the volume data per host and source level. Host and source values are automatically squashed and represented as "squashed" in volume metrics reporting when squashing occurs."

This means license usage logs were squashed during time period and you will see those host and source represented as "squashed" on the dashboard.

To avoid squashing, configure the squashing thresholds to a higher number. For more details, see squash_threshold setting in server.conf.

Last modified on 23 January, 2025
About metrics in the Data Monitoring dashboard   Install the Data monitoring preview app

This documentation applies to the following versions of Splunk® Enterprise: DataMonitoringAppPreview

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters