Use the Workload (preview) dashboard

Shows your organization's overall peak SVC usage as a single value and a percentage of your license entitlement.

Splunk deploys infrastructure based on your entitled SVCs. Overall peak SVC usage refers to the highest amount of resources used in a given time interval to perform system processes such as indexing, any running search processes, and shared services. It primarily measures the CPU usage across search and indexing workloads.

This panel provides usage color-coded threshold information. Generally, SVC usage should be less than 80% to maintain performance. Greater than or equal to 80% is considered elevated usage, and greater than or equal to 90% might cause degraded performance.

• Green indicates usage is optimal and below the 80% threshold.
• Yellow indicates usage is above or at the 80% threshold.
• Red indicates usage is elevated, and above or equal to the 90% threshold.

Shows your organization's search workload peak SVC usage as a single value.

Search peak SVC usage refers to the highest amount of resources used in a given time interval to perform search processes. It primarily measures the CPU usage across search workloads. The search workload can occur on both the search and indexing tiers.

Shows your organization's indexing workload peak SVC usage as a single value

Indexing peak SVC usage refers to the highest amount of resources used in a given time interval to perform indexing processes. It primarily measures the CPU usage across indexing workloads. The indexing workload occurs on the indexing tiers.

Overall workload • Peak SVC usage

This panel shows your organization's SVC usage in the context of your license entitlement.

Select from the following views:

• Overall: The highest amount of resources used in a given time interval to perform system processes such as indexing, any running search processes, and shared services.
• By process: Overall peak SVC usage split by search processes, indexing processes, and shared services.
• By tier: Peak SVC usage based on processes performed by the search head and indexing tiers.

Top 10 apps shows apps that contribute to the highest search time or estimated SVC usage.

Top 10 users shows users that contribute to searches with the highest search time or estimated SVC usage. These users may be human or virtual administrators.

One virtual administrator is the internal splunk-system-user, which runs jobs and processes like summary refreshes, report accelerations, and data model accelerations on behalf of a Splunk Cloud Platform customer. Running these processes consumes SVCs. If the SVC usage of splunk-system-user seems abnormal, contact the deployment's administrator to investigate the increased consumption.

Search • SVC usage

The search workload encompasses search processes that occur on the search and indexing tiers. The sum of all these processes equals the peak SVC usage from search processes during this time interval.

Select from the View by options to view estimated SVC usage or search time in seconds.

Select from the following Search head options:

• All: Shows all search heads in your Splunk Cloud Platform deployment. This category includes all the data ingested and processed in the deployment.
• Specific search head name: Shows data for a specific search head that has been ingested, processed, and summarized in the deployment as of and after the CMC 2.9.0 release.

Select from the following Split by options:

• Apps: Lists a maximum of the top 10 apps and their respective search workload SVC consumption or search time.
• Users: Lists a maximum of the top 10 users and their respective search workload SVC consumption or search time. These users may be human or virtual administrators.
• Searches: Shows which searches utilize the greatest search workload SVC or search time as a percentage of the total consumption.
• Search type: Shows search types and their respective search time or estimated SVC consumption.
• search launcher: Ephemeral searches that are managed by the search launcher, which is a splunkd helper process that is responsible for forking new search processes and managing a high number of fast-running searches on deployments. Because the individual ephemeral searches are being quickly processed, your deployment's SVC usage for these searches is based on the search launcher process to ensure an accurate SVC calculation.

Here are the following search types:

• REST_API: Searches that use the Splunk REST API. See Basic concepts about the Splunk platform REST API.
• ad-hoc: Searches that are unscheduled and manually run. See ad hoc search.
• dashboard: Searches run by your dashboards
• scheduled: Searches that are saved and scheduled so they automatically run. See scheduled search.
• scheduled realtime: Searches where the search_mode field value is realtime indexes (RT Indexes) and the search_type field value is scheduled.
• summary director: Maintenance tasks that run in the background involving caching and summarization to ensure searches are processed.
• report acceleration: Searches that are related to accelerated data models or reports. See data model acceleration, report acceleration, and How data model acceleration differs from report acceleration and summary indexing.
• Other: If the usage can't be categorized it's grouped in this general category.

Dispatched and skipped search count per hour shows the number of searches per hour that are dispatched or skipped.

Indexing workload • SVC usage

The indexing workload encompasses ingestion and indexing processes that occur on the indexing tier. The sum of all these processes equals the peak SVC usage from indexing processes during this time interval.

Select from the Split by options to view indexing processes by specific indexes or source types.

Ingestion by hour shows hourly rate of ingestion. When data ingestion rates are high, the indexer consumes more resources to process and ingest data. High ingestion rates can increase SVC usage.