Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use the License Usage dashboards

The first three dashboards accessed from the Cloud Monitoring Console > License Usage tab enable Splunk Cloud Platform administrators to monitor their Splunk Cloud Platform subscription entitlement and ensure they don't exceed their license limits.

To review all of your organization's subscription entitlements, see the Entitlements dashboard.

If your organization has an ingest-based subscription that measures by the amount of data ingested, see the Ingest dashboard.

If your organization has a workload-based subscription that measures by Splunk Virtual Compute (SVC) units, see the Workload dashboard.

For more detailed information about the different subscription types, see the Splunk Cloud Platform Service Description. Be sure to choose the correct service description version for your Splunk Cloud Platform deployment from the Version drop-down menu.

For more information about your organization's particular subscription entitlement, or to convert from an ingest-based subscription to a workload-based subscription, contact your Splunk account representative.

The last three dashboards accessed from the Cloud Monitoring Console > License Usage tab enable Splunk Cloud Platform administrators to monitor their Splunk Cloud Platform storage and usage entitlement. Splunk Cloud Platform retains data based on index settings that enable you to specify when data is to be deleted. Data retention capacity space in your Splunk Cloud Platform service is based on the volume of uncompressed data that you want to index on a daily basis.

Storage is based on your subscription type. You can also purchase additional data retention capacity. For more information, see the following information in the Splunk Cloud Platform Service Description:

For more information about creating and managing Splunk Cloud Platform indexes, see Manage Splunk Cloud Indexes in the Splunk Cloud Platform Admin Manual.

A blue progress bar might appear above a panel, indicating that the Splunk platform is still generating data. Wait for the bar to disappear before reviewing the panel.

Do not modify any Cloud Monitoring Console (CMC) dashboard. Changing any of the search criteria, formatting, or layouts may cause inaccurate results and also override the automatic update process.

Monitor your entitlements

Splunk Cloud Platform administrators use the Entitlements dashboard on the CMC to review the entitlement limits for their organization's subscription.

The panels show numerical values for the following entitlement limits:

  • <variable> License Entitlement: The variable in this title displays either Ingest or Workload, based on your subscription type.
  • Searchable storage: Dynamic Data Active Searchable (DDAS)
  • Archive storage: Dynamic Data Active Archive (DDAA)

Entitlement limits are specific to and based on your organization's unique requirements for ingesting and storing data with Splunk Cloud Platform. In particular, searchable and archive storage limits are specific to your Splunk Cloud Platform subscription because your organization may opt to purchase additional storage. For more information, see the following:

Review the Entitlement dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Entitlement.

Panel Description
<variable> License Entitlement Shows title of Workload License Entitlement and total number of SVCs if your organization has a workload-based subscription.

Shows title of Ingest License Entitlement and ingest limit in GB if your organization has an ingest-based subscription.

Searchable Storage (DDAS) Entitlement Shows your Dynamic Data Active Searchable (DDAS) storage entitlement in GB.
Archive Storage (DDAA) Entitlement Shows your Dynamic Data Active Archive (DDAA) entitlement in GB. Shows N/A if this isn't applicable for your organization's subscription.
Data scan entitlement for Federated Search for Amazon S3 Shows your amount of data scan entitlement available. If your organization doesn't have a license for Federated Search for Amazon S3, this panel is not visible.

Interpret the entitlement results

Because entitlement limits are determined by your organization's Splunk Cloud Platform subscription, contact your Splunk account representative with any questions about the displayed values.

Monitor current usage of your ingestion-based subscription

If your Splunk Cloud subscription plan measures the search workload consumption by the amount of data ingested, Splunk Cloud Platform administrators use the Ingest dashboard on the CMC to monitor usage and stay within their subscription entitlement.

Splunk Cloud Platform administrators can also use the SVC Usage panel in the Workload dashboard to view basic information about their organization's projected SVC utilization. Workload-based subscriptions use Splunk Virtual Compute (SVC) as a unit of measure. To understand the potential SVC equivalent for your ingest-based subscription, see Performance considerations in the Splunk Cloud Platform Service Description. Be sure to view the correct service description version for your Splunk Cloud Platform deployment version.

For any questions about your organization's ingest-based subscription, or to convert from an ingest-based subscription to a workload-based subscription, contact your Splunk account representative.

About the Ingest dashboard

The Ingest dashboard contains four panels visible to Splunk Cloud Platform administrators:

  • License Entitlement shows the licensed limit in GB for your organization's ingest-based subscription. This entitlement also displays as a red horizontal line in the Daily License Usage panel.
  • Daily License Usage summary, Daily License Usage details, and Average and Peak Daily Volume show data ingestion in GB over a 30-day time range. These panels derive information from your organization's license manager and present data in a bar chart.
    • To view split-by details from the Daily License Usage summary or Daily License Usage details panels, click and drag an area of the panel to focus on a time range. Then use the Split by drop-down list to split the displayed results by host, index, source, or source type.

The Daily License Usage summary panel uses the UTC timezone. The Daily License Usage details panel uses the timezone that your Splunk Cloud Platform instance is set to. You might see a discrepancy between the panels if your Splunk Cloud Platform instance timezone is not set to UTC.

The Daily License Usage summary, Daily License Usage details, and Average and Peak Daily Volume panels use daily totals event data collected from the license_usage_summary.log file when you choose No Split. When you choose a Split by option, the panels use event data collected from the license_usage.log file. If the license manager is down at its local midnight, it won't generate the events for that day, and you won't see that day's data in the panels.

Review the Ingest dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Ingest.

Chart series values are color-coded. See the key on the side of a panel for the specific values included in a chart.

Filter option Description
License Entitlement Shows the licensed limit in GB for your organization's ingest-based subscription. See the red license limit horizontal line in the Daily License Usage panel to determine if your organization's ingestion rate stays under the limit.

Shows N/A if your organization has a workload-based subscription to Splunk Cloud Platform.

No Split The panels show license volume and usage data for all data pools.
Split by value Select a Split by option of Source Type, Host, Source, or Index. The panels may show the following behavior:
  • Daily License Usage: Shows up to 11 color-coded series of the selected option. This includes the top 10 series and OTHER, a summary category that includes series not in the top 10.
  • Average and Peak Daily Volume: Shows the average and peak daily values for the top five series of the selected option.

Data may display as SQUASHED when you split by host or source. This is because every license peer periodically reports to the license manager its stats for the data indexed, broken down by source, source type, host, and index. If the number of distinct tuples (host, source, source type, index) grows beyond a configurable threshold, Splunk software squashes the host and source values and only reports a breakdown by source type and index. This is done to conserve internal resources.

Because of squashing on the other fields, only the split-by source type and index guarantee full reporting. Split by source and host do not guarantee full reporting if those two fields represent many distinct values. The panels show the entire quantity indexed, but not the names. This means that you don't know who consumed a particular amount, but you know what the amount consumed is.

Interpret ingestion-based results

The series in a bar chart are individually color coded so you can analyze usage patterns and take any appropriate action. For example:

  • You set Split by to Index and see that a certain index shows an unusually high spike in usage. Investigate the cause of the spike and determine if it requires remediation.
  • You see that your daily usage and average and peak volumes are consistently close to or exceeding your license limit. Contact your Splunk account representative to upgrade your subscription.

Select any bar in the chart to view the underlying data for the bar. Be sure to not modify the underlying data in any way.

You can also set up an alert action (for example, send an email) to be performed when a platform alert is triggered. Go to Settings > Searches, Reports, and Alerts and select New Alert to define a new alert action. See also the Determine retention usage and set an alert section in Interpret index and storage capacity results in the Splunk Cloud Platform Admin Manual.

Monitor current SVC usage of your workload-based subscription

If your Splunk Cloud Platform subscription plan measures your deployment's ingestion and search workload consumption by Splunk Virtual Compute (SVC) units, Splunk Cloud Platform administrators use the Workload dashboard on the CMC to monitor usage. For more information about the SVC entitlement for your workload-based subscription, see Performance considerations in the Splunk Cloud Platform Service Description. Be sure to view the correct service description version for your Splunk Cloud Platform deployment version.


Review the Workload dashboard

The Workload dashboard contains panels visible to Splunk Cloud Platform administrators that show SVC entitlement and usage for either ingest-based or workload-based subscriptions over a specific time range.

This dashboard shows your deployment's overall SVC usage and can help locate where you can optimize your organization's SVC consumption. Hover your mouse pointer over a vertical bar or a point on a line to view data for a specific hour.

The SVC usage per hour by search type and SVC usage per hour by top <variable> panels represent less accurate data due to sampling rates. These panels use the search_launcher process, which represents searches that take less than 10 seconds to complete. This process might hide a lot of data. For more accurate data, view the Search time by search type and Search time by top 10 apps, users, and searches panels.

To investigate your panels, go to Cloud Monitoring Console > License Usage >  Workload. Use the following table to understand the dashboard interface.

Panel Description
Total number of licensed SVCs Shows the number of SVCs assigned to your organization's subscription per your license entitlement.

This panel displays an N/A for the following scenarios:

  • Subscription status: Your organization has a new workload-based subscription and Splunk is still processing your SVC entitlement. Once this process is complete, your entitlement will appear.
  • Subscription type: Your organization uses ingest-based licensing. Contact your Splunk account representative to convert your subscription type from ingest-based to workload-based.
Peak SVC usage Shows your organization's SVC usage against the license limit.

This chart shows hourly usage calculated in standard 1 hour time blocks, meaning 9:00-9:59 AM or 11:00-11:59 PM. Use the time picker to adjust the granularity by 1 hour, 15 minutes, or 5 minutes. Finer time granularity selection offers increased visibility into when SVC usage peaks or dips within a given timeframe, so you can understand whether usage is consistently high or if there might be specific workloads causing spikes in usage.

The displayed data excludes data gathered during both the current hour and one previous hour. This means that if you are viewing this chart at 2:58 PM, data from 1:00-1:59 PM (the previous hour) and 2:00-2:59 PM (the current hour) is excluded from calculation. At 3:00 PM, data from 1:00-1:59 PM will be included, and at 4:00 PM, the data from 2:00-2:59 PM will be included. This exclusion is to ensure the correct calculation of your organization's SVC utilization.

For workload-based subscriptions:

  • Color-coded vertical bars show the following about SVC usage:
    • Blue bars indicate usage that is below the optimal threshold.
    • Yellow bars indicate usage that is at or above the optimal threshold of 80% of the licensed amount. Splunk Cloud Platform administrators might see issues with their deployment when the usage remains elevated for extended periods of time.
    • Red bars indicate usage that is above 90% of the licensed amount. This indicates a degraded state. Splunk Cloud Platform administrators will likely see issues with their deployment when the usage remains degraded for extended periods of time.
  • Color-coded horizontal reference lines show the following:
    • Green: Your organization's average SVC utilization.
    • Yellow: The optimal utilization threshold, which is calculated as 80% of the license limit.
    • Red: Your organization's SVC entitlement or license limit.

Generally, SVC usage should be less than 80% to maintain performance. 80% to 90% is considered elevated usage. Greater than 90% usage might cause degraded performance. If utilization exceeds 80%, look at the detail panels and consider optimizing processes that are high SVC consumers. Or, you can contact your Splunk account representative to discuss increasing your license entitlement.

For ingest-based subscriptions, the following elements don't appear:

  • Reference lines for SVC entitlement and 80% utilization threshold.
  • The yellow elevated and red degraded usage bars.

The displayed SVC values for ingest-based subscriptions are only a projected estimate. The actual appropriate SVC entitlement for your organization migth be affected by various usage factors. To determine the appropriate SVC entitlement for your deployment and to convert your ingest-based subscription to a workload-based subscription, contact your Splunk account representative.

Peak SVC usage as a percentage of allocated SVCs per tier Shows SVC peak usage as a percentage of SVCs provisioned by the search head and indexer tier. Use the time picker to adjust the granularity by 1 hour, 15 minutes, or 5 minutes.


Provisioned SVCs are allocated to the search head and indexer tiers after initial sizing conversations about intended workloads and requirements, with intention to minimize the footprint for both tiers. Viewing the usage as a percentage of provisioned SVCs provides insight on a tier level and helps you understand what utilization looks like if one tier is over extended. Review the percentage usage on each tier to identify which tier is close to exceeding the optimal range of greater than 80%.

This panel has the following limitations:

  • This panel uses a new calculation as of CMC version 3.12.0 and does not display historical data. The data requires history before it's visible in the CMC. On day of release, this panel will contain approximately a week's worth of data.
  • This panel does not break down usage percentage by individual search heads.

The displayed data excludes data gathered during both the current hour and one previous hour. This means that if you are viewing this chart at 2:58 PM, data from 1:00-1:59 PM (the previous hour) and 2:00-2:59 PM (the current hour) is excluded from calculation. At 3:00 PM, data from 1:00-1:59 PM will be included, and at 4:00 PM, the data from 2:00-2:59 PM will be included.

Peak SVC usage per hour split by process Shows SVC consumption per hour by system processes and resources.
  • Ingestion: Encompasses both ingestion and indexing processes. This includes any index or scripted_input process and also processes on indexers that are not counted in the search or shared services categories. See the SVC Usage by Ingestion panel for a breakdown of the ingested data by either index or source type.
  • Search: Encompasses any running search process where the process_type starts with search.
  • Shared services: Encompasses internal system processes necessary to maintain service to your deployment. This includes any other non-search process on the search head, such as kvstore and splunk_web processes.
<variable> (search seconds, SVC usage) per hour by search type Search seconds per hour by search type shows search seconds per hour by search type. This is the default view for this panel.
  • REST_API: Searches that use the Splunk REST API. See Basic concepts about the Splunk platform REST API.
  • ad-hoc: Searches that are unscheduled and manually run. See ad hoc search.
  • dashboard: Searches run by your dashboards
  • scheduled: Searches that are saved and scheduled so they automatically run. See scheduled search.
  • summary director: Maintenance tasks that run in the background involving caching and summarization to ensure searches are processed.


Select estimated SVC to view SVC usage per hour by search type. This shows SVC consumption per hour as categorized by one of the following assigned search types. If the consumption can't be categorized in an assigned search type, it is grouped in the general other category.

  • ad-hoc: Searches that are unscheduled and manually run. See ad hoc search.
  • report acceleration: Searches that are related to accelerated data models or reports. See data model acceleration, report acceleration, and How data model acceleration differs from report acceleration and summary indexing.
  • scheduled: Searches that are saved and scheduled so they automatically run. See scheduled search.
  • scheduled realtime: Searches where the search_mode field value is realtime indexes (RT Indexes) and the search_type field value is scheduled.
  • search launcher: Ephemeral searches that are managed by the search launcher, which is a splunkd helper process that is responsible for forking new search processes and managing a high number of fast-running searches on deployments. Because the individual ephemeral searches are being quickly processed, your deployment's SVC usage for these searches is based on the search launcher process to ensure an accurate SVC calculation.
<variable> (Search seconds, SVC usage) by top 10 <process type> (apps, searches, users) Search seconds by top 10 <process type> shows search seconds per hour grouped by consumer type and search head. You can identify which apps, users, and searches per search head have relatively high search times. This is the default view for this panel.


Select estimated SVC to view SVC usage by top 10 <process type>. This shows high consumers of SVC per hour grouped by consumer type and search head so you can take steps to optimize their consumption. For example, by analyzing the users and searches data, you can contact high consumers of SVC and discuss ways to optimize their consumption, such as improving their search queries.

Select one of the following options from the Process type drop-down menu:

  • Apps: Lists a maximum of the top 10 apps and their respective SVC consumption.
  • Users: Lists a maximum of the top 10 users and their respective SVC consumption. These users may be human or virtual administrators.
  • Searches: Shows which searches utilize the greatest SVC as a percentage of the total consumption.

Select one of the following options from the Search head drop-down menu:

  • All: Shows all search heads in your Splunk Cloud Platform deployment. This category includes all the data ingested and processed in the deployment.
  • Historical: Shows a different view of All. This category includes all the data ingested, processed, and summarized in the deployment prior to the CMC 2.9.0 release.
  • Specific search head name: Shows data for a specific search head that has been ingested, processed, and summarized in the deployment as of and after the CMC 2.9.0 release.

One virtual administrator is the internal splunk-system-user, which runs jobs and processes like summary refreshes, report accelerations, and data model accelerations for a deployment on behalf of a Splunk Cloud Platform customer. Running these processes consumes SVCs. If the SVC usage of splunk-system-user seems abnormal, Splunk Cloud Platform administrators should contact the deployment's administrator to investigate the increased consumption.

Dispatched and skipped search count per hour Shows the number of searches per hour that are dispatched or skipped.

The yellow vertical lines indicating elevated SVC usage and the red vertical lines indicating degraded SVC usage correlate to the same lines in the SVC Usage panel.

Peak SVC usage per hour by indexing source Shows SVC consumption per hour by ingestion source. Select either Index or Sourcetype from the drop-down menu.
Hourly rate of ingestion Shows the hourly rate of ingestion in GB. When data ingestion rates are high, the indexer consumes more resources to process and ingest data. High ingestion rates can increase SVC usage.

Interpret SVC usage results

See the table in Review the Workload dashboard in this topic for information on keeping your SVC usage within license limits.

In the Events tab for a search, the search_label field includes the _ACCELERATE_{SID_NUMBER} value so you can search for an event using its SID value.

You can also set up an alert action (for example, send an email) to be performed when a platform alert is triggered. Go to Settings > Searches, Reports, and Alerts and select New Alert to define a new alert action.

Monitor the Storage Summary dashboard

This dashboard shows searchable and archive storage license usage data so Splunk Cloud Platform administrators can ensure their organization stays within its licensed subscription limits.

About the Storage Summary dashboard

The Storage Summary dashboard highlights important information that also displays on the Entitlements, Searchable Storage (DDAS), and Archive Storage (DDAA) dashboards. This dashboard provides insights into your data retention based on the uncompressed data you have indexed.

To view this dashboard, you must have the indexes_edit capability.

Review the Storage Summary dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Storage Summary.

Panel Description
Searchable Storage (DDAS) Entitlement Shows the amount of your entitled searchable storage based on your DDAS license entitlement.
Searchable Storage (DDAS) Usage Shows the amount of searchable storage used by both customer-created and metered internal indexes.
Searchable Storage (DDAS) Usage Percent Shows your percentage of usage compared to your DDAS license entitlement.

The value displays in the following colors to indicate status:

  • Green: Usage is well under the entitlement limit.
  • Yellow: Usage is at or above 80% of the entitlement limit.
  • Red: Usage at or above 90% and close to exceeding the entitlement limit.
Archive Storage (DDAA) Entitlement Shows the amount of your archive storage entitlement based on your DDAA license.
Archive Storage (DDAA) Usage Shows the amount of archive storage used by both customer-created and metered internal indexes.
Archive Storage (DDAA) Usage Percent Shows your percentage of usage compared to your DDAA license entitlement.

The value displays in the following colors to indicate status:

  • Green: Usage is well under the entitlement limit.
  • Yellow: Usage is at or above 80% of the entitlement limit.
  • Red: Usage at or above 90% and close to exceeding the entitlement limit.

If your organization doesn't have a DDAA subscription, this panel displays N/A.

Restored Entitlement, Restored Searchable Storage (DDAS) Usage, and Restored Searchable Storage (DDAS) Usage Percent For more information, see the panel descriptions in the Review the Searchable Storage (DDAS) dashboard section.

If your organization doesn't have a DDAA subscription, these panels don't appear.

Index Details Provides a tabular overview of index retention and storage usage, per index.
  • Searchable Storage (DDAS) Retention Days
  • Searchable Storage (DDAS) Index Size GB
  • Archive Storage (DDAA) Retention Days
  • Archive Storage (DDAA) Usage GB
  • Archived GB Last 90 Days
  • Expired GB Last 90 Days

For Archived GB Last 90 Days and Expired GB Last 90 Days, the 90-day count is up to midnight of the previous day from when you accessed the dashboard. This means if you access the dashboard on January 1 at 9:00 AM, the 90th day of data is December 31 at 11:59 PM. Searchable Storage (DDAS) Retention Days and Archive Storage (DDAA) Retention Days also display values as of midnight of the previous day.

Interpret storage summary results

  • If the Searchable Storage (DDAS) Usage Percent panel value displays in red or yellow, this indicates that you need to reduce your DDAS usage. See the Searchable Storage (DDAS) dashboard for more detailed information.
  • If the Archive Storage (DDAA) Usage Percent panel value displays in red or yellow, this indicates that you need to reduce your DDAA usage. See the Archive Storage (DDAA) for more detailed information.

Monitor current usage of Searchable Storage (DDAS)

This dashboard shows comprehensive Dynamic Data Active Searchable (DDAS) license usage data so Splunk Cloud Platform administrators can ensure their organization stays within its licensed subscription limits.

About the Searchable Storage (DDAS) dashboard

Dynamic Data Active Searchable (DDAS) is used for searching ingested data. DDAS is also commonly known as searchable storage. Review the information to ensure that you are staying within your subscribed limits for data ingestion and retention. The displayed data updates every time you access or refresh the dashboard in the CMC app. For more information, see Restore archived data to Splunk Cloud Platform.

Your organization determines their DDAS entitlement amount when subscribing to the Splunk Cloud Platform. For questions about your organization's DDAS entitlement, contact your Splunk account representative. See also the "Data retention" and "Dynamic Data Active Searchable (DDAS)" sections in the Storage section of the Splunk Cloud Platform Service Description.

The Searchable Storage (DDAS) dashboard provides insights into your data retention based on the uncompressed data you have indexed.

Review the Searchable Storage (DDAS) dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Searchable Storage (DDAS).

Panel Description
Searchable Storage Entitlement Shows the amount of your searchable storage entitlement.

If you are an ingest-based customer, this value includes any additional storage you have purchased. If you are a workload-based customer, this value is the storage you have purchased. For questions about these entitlement values, contact your Splunk account representative.

Searchable Storage Usage Shows the amount of searchable storage used by customer-created and metered internal indexes in GB.This value includes only actively searched storage and is calculated when you load this dashboard. Though this value will generally correspond to the total of the individual index values displayed in the Searchable Storage Index Details table, there may be differences due to the time the queries are performed, data aging out of indexes, and similar reasons.

Use this information to compare your current storage consumption against your subscription entitlement and data retention limits.

Searchable Storage Usage Percent Shows your percentage of usage compared to your DDAS license entitlement.

The value displays in the following colors to indicate status:

  • Green: Usage is well under the entitlement limit.
  • Yellow: Usage is at or above 80% of the entitlement limit.
  • Red: Usage at or above 90% and close to exceeding the entitlement limit.
Restored Entitlement Shows your entitlement limit for DDAA restores. For most Splunk Cloud Platform customers, this value is generally 10% of the amount that displays in the Searchable Storage (DDAS) Entitlement panel. If your organization has has expanded their license to increase restoring capacity, the restored entitlement limit reflects this increase up to 20%. For more information, see the following:

If your organization doesn't have a DDAA subscription, this panel doesn't appear.

Restored Searchable Storage (DDAS) Usage Shows the amount of restored storage used by both customer-created and metered internal indexes. This panel calculates searchable storage as the amount of restored data minus the expired and cleared data.

If your organization doesn't have a DDAA subscription, this panel doesn't appear.

Restored Searchable Storage (DDAS) Usage Percent Shows the percentage of restored data usage compared to your restored storage entitlement.

If your organization doesn't have a DDAA subscription, this panel doesn't appear.

Searchable Storage Usage Against Entitlement Shows the amount of searchable storage used by all applicable indexes compared to your entitlement limit.

This bar chart is the visualization for the Searchable Storage Usage panel.

Searchable Storage Usage by Top 10 Indexes Shows the top 10 indexes that are high consumers of searchable storage.

Select the Include Internal Indexes checkbox to include Splunk internal indexes in the chart and analyze if internal indexes are consuming high amounts of storage. See also the Splunk Internal Index Details table.

Searchable Storage Index Details Provides a tabular overview of searchable storage details per index that includes the following data:
  • Oldest Event
  • Newest Event
  • Event Count
  • Storage Retention Days
  • Index Size GB

Shows a table of the indexes in your deployment and the current searchable amount in GB for each actively searchable index. The searchable indexes of your deployment only include those in a hot or warm bucket. The GB value that displays for each index is calculated when you load this dashboard. Use this information to determine which indexes are high consumers of storage, and also understand general usage patterns and trends. For more information about index retention settings, see Manage data retention settings in the Splunk Cloud Platform Admin Manual.


Splunk Internal Index Details Provides a tabular overview of internal index details that includes the following data:
  • Oldest Event
  • Newest Event
  • Event Count
  • Storage Retention Days
  • Default Retention Days
  • Unmetered Index Size GB
  • Metered Index Size GB
  • Total Index Size GB

Splunk internal indexes can be identified by the underscore prefix (_) in the index name and appear on other storage dashboards, such as the Storage Summary dashboard. You can opt to include internal indexes in the Searchable Storage Usage by Top 10 Indexes chart.

An index with a storage value that exceeds the default value delivered by Splunk consumes additional license data. The Default Retention Days column shows Splunk default values. The Storage Retention Days column shows the actual storage retention value set for an index.

Interpret your searchable storage results

  • A good method to determine if your data usage is running higher than expected is to check the dates of the earliest and latest events and compare this time period to the retention setting for the individual index. For example, if the earliest event is 2020/01/25, the latest event is 2020/01/31, and the retention setting for the index is 90 days, then the data ingestion for the index was met long before the time retention setting was met. So, the data ingestion was greater than anticipated.
  • If an internal index displays a Storage Retention Days value that exceeds the Default Retention Days value, contact your Splunk account representative.

Monitor current usage of Archive Storage (DDAA)

This dashboard shows comprehensive Dynamic Data Active Archive (DDAA) license usage data so Splunk Cloud Platform administrators can ensure their organization stays within its licensed subscription limits.

About the Archive Storage (DDAA) dashboard

Dynamic Data Active Archive (DDAA) is used as a long term storage and data in DDAA can be restored to DDAS to be searched. For Splunk Cloud Platform administrators, this dashboard shows information about your archived data for indexes that are enabled with DDAA. Review the information to ensure that you are staying within your subscribed limits for data ingestion and retention. The displayed data updates every time you access or refresh the dashboard in the CMC app. For more information, see Store expired Splunk Cloud Platform data to a Splunk-managed archive.

Your organization must have enabled DDAA as part of its Splunk Cloud Platform subscription to see data in this dashboard. For more information, see the Dynamic Data Active Archive (DDAA) section in the Storage section of the Splunk Cloud Platform Service Description. If you exceed your storage requirements by ingesting more data than your initial estimate, Splunk Cloud Platform service elastically expands the amount of storage to retain your data per your retention settings. Periodically, Splunk will review and charge your account for any overages.

The Archive Storage (DDAA) dashboard provides insights into your data retention based on the uncompressed data you have indexed.

Review the Archive Storage (DDAA) dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Archive Storage (DDAA).

Panel Description
Archive Storage Entitlement Shows the amount of your archive storage entitlement.
Archive Storage Usage Shows the total amount of archive storage currently used by all applicable indexes.
Archive Storage Usage Percent Shows the percentage of usage compared to your DDAA license entitlement.

The value displays in the following colors to indicate status:

  • Green: Usage is well under the entitlement limit.
  • Yellow: Usage is at or above 80% of the entitlement limit.
  • Red: Usage at or above 90% and close to exceeding the entitlement limit.
Archive Storage Usage Against Entitlement Shows the amount of archive storage used by all applicable indexes compared to your entitlement limit.

This bar chart is the visualization for the Archive Storage Usage panel.

Archive Storage Usage by Top 10 Indexes Shows your Top 10 indexes that are high consumers of archive storage.
Data Archive and Restoration Summary Shows a summary of restoration activity for all of your deployment's indexes that are enabled with the DDAA feature from the last 90 days. The 90-day count is up to midnight of the previous day from when you accessed the dashboard. This means if you access the dashboard on January 1 at 9:00 AM, the 90th day of data is December 31 at 11:59 PM.

These totals in GB show the amount of uncompressed (raw) data in the following categories:

  • Total Size Restored GB: Copied archive data that has been temporarily restored to an index. Restored data expires from searchable storage after 30 days.
  • Total Size Cleared GB: Restored data that has been manually removed from an index. This data has a Jobstatus of Cleared.
  • Total Size Expired GB: Data that has been automatically removed from searchable storage as it has passed the 30-day retention period. This data has a Jobstatus of Expired

The displayed totals depend on the data you have selected to restore or clear and also the conditions and limitations of the restoration process, as follows:

  • The archival and restoration process is complete.
  • The data doesn't overlap with other data.
  • The data size doesn't cause performance issues.

For more information, see the following in the the Splunk Cloud Platform Admin Manual:

Index Storage Usage Details Provides a tabular overview of archive storage details per index that lists the following information:
  • Archived index name
  • Timestamps formatted in UTC for the earliest and latest archived events
  • 90-day data growth and expiration data in GB
  • Current usage amount in GB

Interpret your archive storage results

  • Compare the archive usage against the entitlement and the growth against the expiration. If the usage and the growth consistently exceed the entitlement and the expiration, this indicates the following:
    • You must re-evaluate your index ingestion and retention settings. See the topics listed in the See also section on how to manage indexes and DDAA settings.
    • You may need to upgrade your subscription to better handle your true data ingest and retention rates. Contact your Splunk account representative for help.
  • Review the restoration totals and determine if the amount of data restored, cleared, and expired in your deployment meets or exceeds your organization's actual requirements. For example, a high total for restored data or low total for cleared or expired data may indicate the need to re-evaluate your index management policies and procedures. Ensure that you are restoring and retaining only the data that your organization truly needs.
  • Be sure to convert event timestamps from UTC to your local time when analyzing the data in the Index Storage Usage Details table.

See also

For more information about See
Splunk Cloud Platform data retention policies and available storage subscriptions Storage
Managing your indexes, including searchable and archive storage The Manage your Indexes and Data in Splunk Cloud Platform section in the Splunk Cloud Platform Admin Manual

Monitor your Federated Search for Amazon S3 resources

Federated Search for Amazon S3 lets you search data from your Amazon S3 buckets from your Splunk Cloud Platform deployment without needing to ingest or index it first. The Federated Search for Amazon S3 dashboard in the CMC shows comprehensive data scan entitlement usage so your organization can stay within its limits.

About the Federated Search for Amazon S3 dashboard

This dashboard shows what your total data scan entitlement is and how much of that entitlement is used to date by your Federated Search for Amazon S3 searches in your current license term.

The dashboard tracks the volume of data on disk that is being scanned, not the amount of events that are being searched. Scans of data stored in compressed formats such as Parquet or GZIP will likely take up less of your entitlement than scans of data stored in uncompressed formats.

Review the information to ensure that you're staying within your Federated Search for Amazon S3 entitlement.

Your organization must have Federated Search for Amazon S3 set up as part of its Splunk Cloud Platform deployment to see data in this dashboard.

Review the Federated Search for Amazon S3 dashboard

To investigate your panels, go to Cloud Monitoring Console then License Usage then Federated Search for Amazon S3. The following panels display N/A if your organization does not have a Federated Search for Amazon S3 entitlement.

Panel Description
Total data scan entitlement Total amount of data scanning capabilities available for use during your current license term.
Data scan entitlement usage Total amount of data scanned by your searches during your current license term.
Percentage of data scan entitlement used The percentage of data scanning capabilities utilized by your searches during your current license term.

Interpret federated search for Amazon S3 data scan entitlement usage

The Percentage of data scan entitlement used panel is color-coded so you can quickly understand your usage. If your data scan entitlement usage is less than 80%, the panel data is green. If your usage is greater than 80%, the panel data is yellow. If your usage is greater than 90%, the panel data is red.

You can configure an alert action (for example, send an email) to be performed when your data scan entitlement usage exceeds 80%. Navigate to the CMC Alerts page to enable this alert: Alerts then Configured Alerts then CMC Alert - S3 scanned volume exceeds 80% of the entitlement value.

To learn more about CMC configured alerts, see Use the Alerts panel.

If your data scan entitlement usage is consistently high, consider upgrading entitlements by contacting your Splunk Sales representative.

Use the Archive Management panel

For Splunk Cloud Platform administrators, the Archive Management panel in the Cloud Monitoring Console (CMC) app shows information about your archived data for indexes that are enabled with Dynamic Data Active Archive (DDAA). Review the information to ensure that you are staying within your subscribed limits for data ingestion and retention. The displayed data updates every time you access or refresh the panel in the CMC app.

Your organization must have enabled DDAA as part of its Splunk Cloud Platform subscription to see data in this panel.

If you exceed your storage requirements by ingesting more data than your initial estimate, Splunk Cloud Platform service elastically expands the amount of storage to retain your data per your retention settings. Periodically, Splunk will review and charge your account for any overages. For more information and to understand storage requirements based on your subscription type, see the Storage section of the Splunk Cloud Platform Service Description.

Archive Summary

In CMC, select the Archive Management link in the first panel of the Storage Summary or Archive Storage (DDAA) dashboard, then select the Archive Summary tab.

The summary information in this tab shows data on the usage, entitlement, and 90-day growth and expiration in GB for all of your deployment's indexes enabled with DDAA.

The archived data details table lists the following information:

  • Archived index name
  • Current size (GB)
  • Timestamps for the earliest and latest archived events
  • 90-day data growth and expiration data in GB

The amounts for the summarized and detailed growth and expiration data are for uncompressed (raw) data.

Interpret these results

Compare the usage against the entitlement and the growth against the expiration. If the usage and the growth consistently exceed the entitlement and the expiration, this indicates the following:

  • You must re-evaluate your index ingestion and retention settings. See the topics listed in the See also section on how to manage indexes and DDAA settings.
  • You may need to upgrade your subscription to better handle your true data ingest and retention rates. Contact your Splunk account representative for help.

Restoration Summary

In CMC, select the Archive Management link in the first panel of the Storage Summary or Archive Storage (DDAA) dashboard, then select the Restoration Summary tab.

The information in this tab shows the restoration activity for all of your deployment's indexes that are enabled with the DDAA feature. These totals in GB show the amount of uncompressed (raw) data in the following categories:

  • Restored: Copied archive data that has been temporarily restored to an index. Restored data expires from searchable storage after 30 days.
  • Cleared: Restored data that has been manually removed from an index. This data has a Jobstatus of Cleared.
  • Expired: Data that has been automatically removed from searchable storage as it has passed the 30-day retention period. This data has a Jobstatus of Expired.

The displayed totals depend on the data you have selected to restore or clear and also the conditions and limitations of the restoration process, as follows:

  • The archival and restoration process is complete.
  • The data doesn't overlap with other data.
  • The data size doesn't cause performance issues.

For more information, see the following in the the Splunk Cloud Platform Admin Manual:

Interpret these results

Review these totals and determine if the amount of data restored, cleared, and expired in your deployment meets or exceeds your organization's actual requirements. For example, a high total for restored data or low total for cleared or expired data may indicate the need to re-evaluate your index management policies and procedures. Ensure that you are restoring and retaining only the data that your organization truly needs.

See also

For more information about See
Managing your aged ingested data with DDAA Store expired Splunk Cloud Platform data to a Splunk-managed archive
Managing indexes Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual
Last modified on 07 March, 2024
PREVIOUS
Use the Usage dashboards
  NEXT
Use the Forwarder dashboards

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters