Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use the License Usage dashboards

The dashboards accessed from the Cloud Monitoring Console > License Usage tab enable Splunk Cloud Platform administrators to monitor their Splunk Cloud Platform subscription entitlement and ensure they don't exceed their license limits.

If your organization has an ingest-based subscription that measures by the amount of data ingested, see the Ingest dashboard.

If your organization has a workload-based subscription that measures by Splunk Virtual Compute (SVC) units, see the Workload dashboard.

This topic provides general information about the Splunk Cloud Platform subscription types. For more detailed information about the different subscription types, see the Splunk Cloud Platform Service Description. Be sure to choose the correct service description version for your Splunk Cloud Platform deployment from the Version drop-down menu.

For more information about your organization's particular subscription entitlement, or to convert from an ingest-based subscription to a workload-based subscription, contact your Splunk account representative.

A blue progress bar might appear above a panel, indicating that the Splunk platform is still generating data. Wait for the bar to disappear before reviewing the panel.

Do not modify any Cloud Monitoring Console (CMC) dashboard. Changing any of the search criteria, formatting, or layouts may cause inaccurate results and also override the automatic update process.

Monitor current usage of your ingestion-based subscription

If your Splunk Cloud subscription plan measures the search workload consumption by the amount of data ingested, Splunk Cloud Platform administrators use the Ingest dashboard on the CMC to monitor usage and stay within their subscription entitlement.

Splunk Cloud Platform administrators can also use the SVC Usage panel in the Workload dashboard to view basic information about their organization's projected SVC utilization. Workload-based subscriptions use Splunk Virtual Compute (SVC) as a unit of measure. To understand the potential SVC equivalent for your ingest-based subscription, see Performance considerations in the Splunk Cloud Platform Service Description. Be sure to view the correct service description version for your Splunk Cloud Platform deployment version.

For any questions about your organization's ingest-based subscription, or to convert from an ingest-based subscription to a workload-based subscription, contact your Splunk account representative.

About the Ingest dashboard

The Ingest dashboard contains three panels visible to Splunk Cloud Platform administrators:

  • Daily License Usage and Average and Peak Daily Volume show data ingestion in GB over a 30-day time range. Both panels derive information from your organization's license manager and present data in a bar chart.
  • License Entitlement shows the licensed limit in GB for your organization's ingest-based subscription. This entitlement also displays as a horizontal line in the Daily License Usage panel.

The Split by drop-down list lets you split the displayed results by Host, Index, Source, or Source Type. The default is No Split.

The Daily License Usage and Average and Peak Daily Volume panels use daily totals event data collected from license_usage.log when you choose No Split. When you choose a Split by option, the panels use event data collected from the _internal index. If the license manager is down at its local midnight, it won't generate the events for that day, and you won't see that day's data in the panels.

Review the Ingest dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Ingest.

Chart series values are color-coded. See the key on the side of a panel for the specific values included in a chart.

Filter option Description
No Split The panels show license volume and usage data for all data pools.
Split by value Select a Split by option of Source Type, Host, Source, or Index. The panels may show the following behavior:
  • Daily License Usage: Shows up to 11 color-coded series of the selected option. This includes the top 10 series and OTHER, a summary category that includes series not in the top 10.
  • Average and Peak Daily Volume: Shows the average and peak daily values for the top five series of the selected option.

Data may display as SQUASHED when you split by host or source. This is because every license peer periodically reports to the license manager its stats for the data indexed, broken down by source, source type, host, and index. If the number of distinct tuples (host, source, source type, index) grows beyond a configurable threshold, Splunk software squashes the host and source values and only reports a breakdown by source type and index. This is done to conserve internal resources.

Because of squashing on the other fields, only the split-by source type and index guarantee full reporting. Split by source and host do not guarantee full reporting if those two fields represent many distinct values. The panels show the entire quantity indexed, but not the names. This means that you don't know who consumed a particular amount, but you know what the amount consumed is.

License Entitlement Shows the licensed limit in GB for your organization's ingest-based subscription. See the license limit horizontal line in the Daily License Usage panel to determine if your organization's ingestion rate stays under the limit.

Interpret ingestion-based results

The series in a bar chart are individually color coded so you can analyze usage patterns and take any appropriate action. For example:

  • You set Split by to Index and see that a certain index shows an unusually high spike in usage. Investigate the cause of the spike and determine if it requires remediation.
  • You see that your daily usage and average and peak volumes are consistently close to or exceeding your license limit. Contact your Splunk account representative to upgrade your subscription.

Click any bar in the chart to view the underlying data for the bar. Be sure to not modify the underlying data in any way.

You can also set up an alert action (for example, send an email) to be performed when a platform alert is triggered. Go to Settings > Searches, Reports, and Alerts and click New Alert to define a new alert action. See also the Determine retention usage and set an alert section in Interpret index and storage capacity results in the Splunk Cloud Platform Admin Manual.

Monitor current SVC usage of your workload-based subscription

If your Splunk Cloud Platform subscription plan measures your deployment's ingestion and search workload consumption by Splunk Virtual Compute (SVC) units, Splunk Cloud Platform administrators use the Workload dashboard on the CMC to monitor usage and stay within their subscription entitlement. For more information about the SVC entitlement for your workload-based subscription, see Performance considerations in the Splunk Cloud Platform Service Description. Be sure to view the correct service description version for your Splunk Cloud Platform deployment version.

Review the Workload dashboard

The Workload dashboard contains panels visible to Splunk Cloud Platform administrators that show SVC entitlement and usage for either ingest-based or workload-based subscriptions over a specific time range.

The SVC Usage and License Entitlement are overview panels that display your data utilization against your subscription entitlement limits. The Searchable Index Storage and Current Searchable Index Storage panels display summary information about the deployment's active storage usage.

If your utilization consistently meets or exceeds your subscription entitlement limits, contact your Splunk representative to increase the number of SVCs allocated to your stack.

The other panels contain charts that show your deployment's overall SVC usage and help pinpoint where you need to optimize your organization's SVC consumption. These charts are based on hourly calculations. Hover your mouse pointer over a vertical bar or a point on a line to view data for a specific hour.

The SVC Usage by Top 10 <variable> panel includes options to specify viewing usage by apps, searches, or users. The panel title changes depending on the selected dropdown menu option.

To investigate your panels, go to Cloud Monitoring Console > License Usage >  Workload. Use the following table to understand the dashboard interface.

Panel Description
SVC Usage Shows your organization's SVC usage against the license limit.

This chart shows hourly usage calculated in standard 60-minute time blocks, meaning 9:00-9:59 AM or 11:00-11:59 PM.

The displayed data excludes data gathered during both the current hour and one previous hour. This means that if you are viewing this chart at 2:58 PM, data from 1:00-1:59 PM (the previous hour) and 2:00-2:59 PM (the current hour) is excluded from calculation. At 3:00 PM, data from 1:00-1:59 PM will be included, and at 4:00 PM, the data from 2:00-2:59 PM will be included. This exclusion is to ensure the correct calculation of your organization's ingested data.

For workload-based subscriptions:

  • Color-coded vertical bars show the following about SVC usage:
    • Blue bars indicate usage that is below the optimal threshold.
    • Yellow bars indicate usage that is at or above the optimal threshold of 80% of the licensed amount. Splunk Cloud Platform administrators may see issues with their deployment when the usage remains elevated for extended periods of time.
    • Red bars indicate usage that is above 90% of the licensed amount. This indicates a degraded state. Splunk Cloud Platform administrators will likely see issues with their deployment when the usage remains degraded for extended periods of time.
  • Color-coded horizontal reference lines show the following:
    • Green: Your organization's average SVC utilization.
    • Yellow: The optimal utilization threshold, which is calculated as 80% of the license limit.
    • Red: Your organization's SVC entitlement or license limit.

For best performance, utilization should be at 60-70% of the license limit. If it exceeds 70%, look at the detail panels and take action to optimize the high consumers of SVC. When your utilization is 80-90% of your license limit, there is a risk of performance impact if you don't proactively manage your consumption. You can do this by reviewing the high SVC consumers or by increasing your license entitlement. Contact your Splunk account representative to discuss allocating more SVCs to your stack.

For ingest-based subscriptions, the following elements don't appear:

  • Reference lines for SVC entitlement and 80% optimal utilization threshold.
  • The yellow elevated and red degraded usage bars.

The displayed SVC values for ingest-based subscriptions are only a projected estimate. The actual appropriate SVC entitlement for your organization may be affected by various usage factors. To determine the appropriate SVC entitlement for your deployment and to convert your ingest-based subscription to a workload-based subscription, contact your Splunk account representative.

License Entitlement Shows the number of SVCs assigned to your organization's subscription per your license entitlement.

This panel displays a 0 for the following scenarios:

  • Subscription status: Your organization has a new workload-based subscription and Splunk is still processing your SVC entitlement. Once this process is complete, your entitlement will appear.
  • Subscription type: Your organization uses ingest-based licensing. Contact your Splunk account representative to convert your subscription type from ingest-based to workload-based.
Current Searchable Index Storage Shows your organization's current searchable index storage total in GB. This value includes only actively searched storage and is calculated when you load this dashboard. Though this value will generally correspond to the total of the individual index values displayed in the Searchable Index Storage table, there may be differences due to the time the queries are performed, data aging out of indexes, and similar reasons.

Use this information to compare your current storage consumption against your subscription entitlement and data retention limits.

Searchable Index Storage Shows a table of the indexes in your deployment and the current searchable amount in GB for each actively searchable index. The searchable indexes of your deployment only include those in a hot or warm bucket. The GB value that displays for each index is calculated when you load this dashboard.

Use this information to determine which indexes are high consumers of storage, and also understand general usage patterns and trends.

Data Ingestion Shows the hourly rate of ingestion in GB.
Dispatch and Skipped Search Count Shows the number of searches per hour that are dispatched or skipped.

The yellow vertical lines indicating elevated SVC usage and the red vertical lines indicating degraded SVC usage correlate to the same lines in the SVC Usage panel.

SVC Consumers Shows SVC consumption per hour by system processes and resources.
  • Ingestion: Encompasses both ingestion and indexing processes. See the SVC Usage by Ingestion panel for a breakdown of the ingested data by either index or sourcetype.
  • Search: Encompasses all running search processes. See the SVC Usage by Search Type panel for a detailed view of these search types, and the SVC Usage by Top 10 <variable> panel for a breakdown of search data by apps, searches, or users.
  • Shared services: Encompasses internal system processes necessary to maintain service to your deployment.
SVC Usage by Search Type Shows SVC consumption per hour by the assigned search type, such as ad-hoc, datamodel acceleration, or scheduled.
SVC Usage by Ingestion Shows SVC consumption per hour by ingestion source. Select either Index or Sourcetype from the drop-down menu.
SVC Usage by Top 10 <variable> Shows high consumers of SVC per hour grouped by Apps, Searches, or Users so you can take steps to optimize their consumption. For example, by analyzing the users and searches data, you can contact high consumers of SVC and discuss ways to optimize their consumption, such as improving their search queries.


Select one of the following options from the drop-down menu:

  • Apps: Lists a maximum of the top 10 apps and their respective SVC consumption.
  • Searches: Shows which searches utilize the greatest SVC as a percentage of the total consumption.
  • Users: Lists a maximum of the top 10 users and their respective SVC consumption. These users may be human or virtual administrators.

One virtual administrator is the internal splunk-system-user, which runs jobs and processes like summary refreshes, report accelerations, and data model accelerations for a deployment on behalf of a Splunk Cloud Platform customer. Running these processes consumes SVCs. If the SVC usage of splunk-system-user seems abnormal, Splunk Cloud Platform administrators should contact the deployment's administrator to investigate the increased consumption.

Interpret SVC usage results

See the table in Review the Workload dashboard in this topic for information on keeping your SVC usage within license limits.

You can also set up an alert action (for example, send an email) to be performed when a platform alert is triggered. Go to Settings > Searches, Reports, and Alerts and click New Alert to define a new alert action. See also the Determine retention usage and set an alert section in Interpret index and storage capacity results in the Splunk Cloud Platform Admin Manual.

Use the Data Archive and Restoration Summary panel

For Splunk Cloud Platform administrators, the Data Archive and Restoration Summary panel in the Cloud Monitoring Console (CMC) app shows information about your archived data for indexes that are enabled with Dynamic Data Active Archive (DDAA). Review the information to ensure that you are staying within your subscribed limits for data ingestion and retention. The displayed data updates every time you access or refresh the panel in the CMC app.

Your organization must have enabled DDAA as part of its Splunk Cloud Platform subscription to see data in this panel.

If you exceed your storage requirements by ingesting more data than your initial estimate, Splunk Cloud Platform service elastically expands the amount of storage to retain your data per your retention settings. Periodically, Splunk will review and charge your account for any overages. For more information and to understand storage requirements based on your subscription type, see the Storage section of the Splunk Cloud Platform Service Description.

See also

For more information about See
Managing your aged ingested data with DDAA Store expired Splunk Cloud Platform data to a Splunk-managed archive
Managing indexes Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual

Archive Summary

In the CMC navigation bar, click License Usage > Data Archive and Restoration Summary, then click the Archive Summary tab.

The summary information in this tab shows data on the usage, entitlement, and 90-day growth and expiration in GB for all of your deployment's indexes enabled with DDAA.

The Archived Data Details table lists the following information:

  • Archived index name
  • Current size (GB)
  • Timestamps for the earliest and latest archived events
  • 90-day data growth and expiration data in GB

The amounts for the summarized and detailed growth and expiration data are for uncompressed (raw) data.

Interpret these results

Compare the usage against the entitlement and the growth against the expiration. If the usage and the growth consistently exceed the entitlement and the expiration, this indicates the following:

  • You must re-evaluate your index ingestion and retention settings. See the topics listed in the See also section on how to manage indexes and DDAA settings.
  • You may need to upgrade your subscription to better handle your true data ingest and retention rates. Contact your Splunk account representative for help.

Restoration Summary

In the CMC navigation bar, click License Usage > Data Archive and Restoration Summary, then click the Restoration Summary tab.

The information in this tab shows the restoration activity for all of your deployment's indexes that are enabled with the DDAA feature. These totals in GB show the amount of uncompressed (raw) data in the following categories:

  • Restored: Copied archive data that has been temporarily restored to an index. Restored data expires from searchable storage after 30 days.
  • Cleared: Restored data that has been manually removed from an index. This data has a Jobstatus of Cleared.
  • Expired: Data that has been automatically removed from searchable storage as it has passed the 30-day retention period. This data has a Jobstatus of Expired.

The displayed totals depend on the data you have selected to restore or clear and also the conditions and limitations of the restoration process, as follows:

  • The archival and restoration process is complete.
  • The data doesn't overlap with other data.
  • The data size doesn't cause performance issues.

For more information, see the following in the the Splunk Cloud Platform Admin Manual:

Interpret these results

Review these totals and determine if the amount of data restored, cleared, and expired in your deployment meets or exceeds your organization's actual requirements. For example, a high total for restored data or low total for cleared or expired data may indicate the need to re-evaluate your index management policies and procedures. Ensure that you are restoring and retaining only the data that your organization truly needs.

Last modified on 12 October, 2021
PREVIOUS
Use the Usage dashboards
  NEXT
Use the Forwarder dashboards

This documentation applies to the following versions of Splunk Cloud Platform: 8.0.2006, 8.0.2007, 8.1.2009, 8.1.2011, 8.1.2012, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106, 8.2.2107, 8.2.2109


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters