About the Splunk Enterprise license usage report view
The license usage report view provides information on license capacity and indexed volume. You can see daily indexing volume, any license warnings, and a view of the last 30 days of license usage.
Access the license usage report view
On the license master, access the dashboard for the license usage report view:
- Navigate to Settings > Licensing.
- Click Usage report.
The dashboard includes these tabs:
- Previous 30 Days
The license usage report view provides several panels under the Today tab. These panels show the status of license usage and the warnings for the current day. The license day ends at midnight according to the license master's clock
Today's license usage panel
This panel shows today's license usage and the total daily license quota across all pools.
Today's license usage per pool panel
This panel shows today's license usage and the daily license quota for each pool.
Today's percentage of daily license quota used per pool panel
This panel shows what percentage of today's license quota has been used by each pool. The percentage is displayed on a logarithmic scale.
Pool usage warnings panel
This panel shows the warnings, both soft and hard, that each pool has received in the past 30 days or since the last license reset key was applied. See "About license violations".
Slave usage warnings panel
For each license slave, this panel shows the number of warnings, its pool membership, and whether the slave is in violation.
Previous 30 Days tab
The Previous 30 Days tab contains several panels and drop-down options.
The visualizations in these panels limit the number of values plotted for each field that you can split by (host, source, source type, index, indexer, and pool). If you have more than 10 distinct values for any of these fields, the values after the 10th are labeled "Other."
These panels all use data collected from
type=RolloverSummary (daily totals). If the license master is down at its local midnight, it will not generate a RolloverSummary event for that day, and you will not see that day's data in these panels.
Split-by: no split, indexer, pool
These three split-by options are self-explanatory.
Split-by: source, source type, host, index
These split-by fields require explanation for how they employ report acceleration and squashing.
Improve performance by accelerating reports
Splitting by source, source type, and host uses
license_usage.log type=Usage, which provides real-time usage statistics at one-minute intervals. Without acceleration, the search can be very slow, because it searches through 30 days of data, and that data gets generated at the rate of one event per minute.To improve performance, accelerate the report that powers these split-by options.
Acceleration for this report is disabled by default. To accelerate the report, click the link that shows up in the info message when you select one of these split-by values. You can also find the workflow for accelerating in Settings > Searches and reports > License usage data cube. See Accelerate reports in the Reporting Manual.
Report acceleration can take up to 10 minutes to start after you select it for the first time. It then takes additional time to build the acceleration summary, from a few minutes to an hour depending on the amount of data being summarized. After the first acceleration run, subsequent reports build on what's already there, keeping the report up-to-date.
Enable report acceleration only on your license master.
Configure how frequently the acceleration runs in savedsearches.conf, with
auto_summarize. The default is every 10 minutes. Keep the interval frequent, to make the workload small and steady. The default uses a cron job set for every 10 minutes at the 3 minute mark. This is configurable in
Every license slave periodically reports to the license master its stats for the data indexed, broken down by source, source type, host, and index. If the number of distinct tuples (host, source, sourcetype, index) grows beyond a configurable threshold, Splunk software squashes the host and source values and only reports a breakdown by sourcetype and index. This is done to prevent high memory usage and an unwieldy number of
Because of squashing on the other fields, only the split-by sourcetype and index guarantee full reporting. Split-by source and host do not guarantee full reporting if those two fields represent many distinct values. The report shows the entire quantity indexed, but not the names. Therefore, you don't know who consumed a particular amount, but you still know what the amount consumed is.
Squashing is configurable in server.conf, in the
[license] stanza, with the
squash_threshold setting. Increasing the value puts a load on memory usage, so consult Splunk Support before changing the setting.
The license usage report emits a warning message when squashing occurs.
To view more granular information without squashing, search metrics.log for
Top 5 by average daily volume
The Top 5 panel shows average and maximum daily usage of the top five values for whatever split-by field you choose from the Split By menu.
The panel selects the top five average, not peak, values to display. So, for example, say you have more than five source types. Source type F is normally much smaller than the others but has a brief peak. Source type F's max daily usage is thus very high, but its average usage might still be low (since it has all those days of very low usage to bring down its average). Since this panel selects the top five values by average, source type F might not show up in this view.
Identify metrics data in your license usage report
You can identify metrics data by clicking the Previous 30 days tab and sorting by index.
Set up an alert
You can turn any of the license usage report view panels into an alert. For example, say you want to set up an alert for when license usage reaches 80% of the quota.
- Go to the Today's percentage of daily license usage quota used panel.
- Click "Open in search" at the bottom left of a panel.
| where '% used' > 80
- Select Save as > Alert and follow the alerting wizard.
Splunk Enterprise comes with several preconfigured alerts that you can enable. See Enable and configure platform alerts in Monitoring Splunk Enterprise.
About license violations
Troubleshoot the license usage report view
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6