Splunk Cloud

Splunk Cloud Admin Manual

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Use the License Usage dashboards

The dashboards accessed from the Cloud Monitoring Console > License Usage tab enable Splunk Cloud administrators to monitor their Splunk Cloud subscription entitlement and ensure they don't exceed their license limits.

If your organization has an ingest-based subscription that measures by the amount of data ingested, see the Volume Licensing dashboard.

If your organization has an workload pricing subscription that measures by Splunk Virtual Core (SVC) units, see the Workload Pricing dashboard.

This section provides general information about these Splunk Cloud subscription models. For more information about your organization's particular subscription entitlement, or to convert from an ingest-based subscription to a workload pricing subscription, contact your Splunk account representative.

A blue progress bar might appear above a panel, indicating that the Splunk platform is still generating data. Wait for the bar to disappear before reviewing the panel.

Do not modify any Cloud Monitoring Console (CMC) dashboard. Changing any of the search criteria, formatting, or layouts may cause inaccurate results and also override the automatic update process.

Monitor current volume usage of your ingestion-based subscription

If your Splunk Cloud subscription plan measures the search workload consumption by the amount of data ingested, Splunk Cloud administrators can use the Volume Licensing dashboard on the CMC to monitor usage and stay within their subscription entitlement.

For more information about the ingest-based subscription model and how it differs from workload pricing subscriptions, see Workload pricing in the Splunk Cloud Service Description manual. Workload pricing subscriptions use Splunk Virtual Cores (SVC) as a unit of measure. To understand the potential SVC equivalent for your ingest-based subscription, see Understand Splunk Cloud performance considerations and SVC. To convert from an ingest-based subscription to a workload pricing subscription, contact your Splunk account representative.

See also the Determine retention usage and set an alert section in Interpret index and storage capacity results in the Splunk Cloud Admin Manual.

About the Volume Licensing dashboard

The Volume Licensing dashboard contains two panels visible to Splunk Cloud administrators that show data ingestion in GB over a 30-day time range: Daily License Usage and Average and Peak Daily Volume. Both panels derive information from your organization's license manager and present data in a bar chart. For information about your organization's specific license limit, contact your Splunk account representative.

The Split by drop-down list lets you split the displayed results by Host, Index, Source, or Source Type. The default is No Split.

These panels use daily totals event data collected from license_usage.log when you choose No Split. When you choose a Split by option, the panels use event data collected from the _internal index. If the license manager is down at its local midnight, it won't generate the events for that day, and you won't see that day's data in the panels.

Review the Volume Licensing dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Volume Licensing.

Chart series values are color-coded. See the key on the side of a panel for the specific values included in a chart.

Filter option Description
No Split The panels show license volume and usage data for all data pools.
Split by value When using a Split by option, the panels may show the following behavior:
  • Daily License Usage: Shows up to 11 color-coded series of the selected option. This includes the top 10 series and OTHER, a summary category that includes series not in the top 10.
  • Average and Peak Daily Volume: Shows the average and peak daily values for the top five series of the selected option.

Data may display as SQUASHED when you split by host or source. This is because every license peer periodically reports to the license manager its stats for the data indexed, broken down by source, source type, host, and index. If the number of distinct tuples (host, source, source type, index) grows beyond a configurable threshold, Splunk software squashes the host and source values and only reports a breakdown by source type and index. This is done to conserve internal resources.

Because of squashing on the other fields, only the split-by source type and index guarantee full reporting. Split by source and host do not guarantee full reporting if those two fields represent many distinct values. The panels show the entire quantity indexed, but not the names. This means that you don't know who consumed a particular amount, but you know what the amount consumed is.

Interpret volume usage results

The series in a bar chart are individually color coded so you can analyze usage patterns and take any appropriate action. For example:

  • You set Split by to Index and see that a certain index shows an unusually high spike in usage. Investigate the cause of the spike and determine if it requires remediation.
  • You see that your daily usage and average and peak volumes are consistently close to or exceeding your license limit. Contact your Splunk account representative to upgrade your subscription.

Click any bar in the chart to view the underlying data for the bar. Be sure to not modify the underlying data in any way.

You can also set up an alert action (for example, send an email) to be performed when a platform alert is triggered. Go to Settings > Searches, Reports, and Alerts and click New Alert to define a new alert action.

Monitor current SVC usage of your workload pricing subscription

If your Splunk Cloud subscription plan measures the search workload consumption by Splunk Virtual Core (SVC) units, Splunk Cloud administrators can use the Workload Pricing dashboard on the CMC to monitor usage and stay within their subscription entitlement.

For more information about the workload pricing subscription model and how it differs from ingest-based subscriptions, see Workload pricing in the Splunk Cloud Service Description manual.

Understand Splunk Cloud performance considerations and SVC

Splunk Cloud provides a high-performance solution for customers. Every Splunk Cloud subscription plan is provisioned with adequate compute capacity. Because search workloads can vary considerably, ingest-based subscription plans with peak daily ingest of 1,000 GB (1 TB) and greater are entitled to an allocation of Splunk Virtual Cores as defined in the following paragraphs.

An SVC is a unit of capabilities in Splunk Cloud that includes compute, memory, and I/O resources. SVCs are allocated to your ingest-based subscription plan based on your average daily ingest, up to the maximum of 1 SVC for every 10 GB of licensed peak daily ingest. Subscriptions of Premium Solutions, such as Enterprise Security and IT Service Intelligence, provides incremental SVC allocation of 1 SVC for every 20 GB of licensed peak daily ingest.

The ratio of allocated SVC to licensed peak daily ingest level is subject to change with the evolving infrastructure and architecture of the service. Splunk Cloud establishes SVC performance using a Splunk Search Benchmark to ensure that new ratios continue to provide the same or better levels of performance.

Review the Workload Pricing dashboard

The Workload Pricing dashboard contains panels visible to Splunk Cloud administrators that show SVC entitlement and usage for either ingest-based or workload pricing subscriptions over a specific time range.

The SVC Usage, Searchable Index Storage, and Current Searchable Index Storage are overview panels that display your data utilization against your subscription entitlement limits. If your utilization consistently meets or exceeds your subscription entitlement limits, contact your Splunk Sales representative to increase the number of SVCs allocated to your stack.

The following three detail panels help pinpoint where you need to optimize to reduce your organization's SVC consumption:

  • Top 10 SVC Users
  • Top 10 SVC Consumers
  • SVC Usage by Search Type

To investigate your panels, go to Cloud Monitoring Console > License Usage >  Workload Pricing. Use the following table to understand the dashboard interface.

Panel Description
SVC Usage Shows your organization's SVC usage against the license limit. The blue bars indicate the peak SVC utilization and the green line indicates the license limit.

For best performance, utilization should be at 60-70% of the license limit. If it exceeds 70%, look at the detail panels and take action to optimize the high consumers of SVC. When your utilization is 80-90% of your license limit, there is a risk of performance impact if you don't proactively manage your consumption. You can do this by reviewing the high SVC consumers or by increasing your license entitlement. Contact your Splunk account representative to discuss allocating more SVCs to your stack.

SVC Entitlement Shows the number of SVCs assigned to your organization's subscription per your license entitlement.

If your organization uses ingest-based licensing, the SVC Entitlement panel displays a 0. You'll also see a message to contact your Splunk account representative to convert your subscription model from ingest-based to workload pricing.

Index Ingest Usage Shows your organization's storage consumption against the license limit.

If this panel indicates your indexes are high consumers of SVC, look at the Top 10 SVC Consumers panel for specific indexes that need remediation.

Searchable Index Storage Shows the daily total GB used to store your organization's searchable indexes per day for the last 30 days. A searchable index is one in a hot or warm bucket.

Use this information to determine which indexes are high consumers of storage, and also understand general usage patterns and trends.

Current Searchable Index Storage Shows your organization's current searchable index storage total for the last 24 hours, in GB. This value is calculated when you load this dashboard. Though this value will generally correspond to the most recent daily total value in the Searchable Index Storage graph, there may be differences due to the time the queries are performed, data aging out of indexes, and similar reasons.

Use this information to compare your current storage consumption against your subscription entitlement limits.

Top 10 SVC Users Lists the top SVC users and their respective SVC consumption. These users may be human or virtual administrators.

With this data, you can contact high consumers of SVC and discuss ways to optimize their consumption, such as improving their search queries. The Learn more link accesses a topic about writing better searches that you can share with your users.

Top 10 SVC Consumers Shows the top indexes, sources, or source types with the highest utilization. With this data, you can identify which resource consumers need optimization or other remediation.

Select an option from the drop-down list to populate the graph. When you select Indexes, the graph displays 7 days of data. When you select Source or Source Types, the graph displays only a day's worth of data. Because your deployment may have many indexes that require analysis, this limitation is to minimize long running queries that consume resources.

For more information on maintaining indexes, see Manage Splunk Cloud indexes in the Splunk Cloud User Manual. For source and source type, see the "Defining host, source, and sourcetype" and "Source vs sourcetype" sections of the About default fields (host, source, sourcetype, and more) topic in the Getting Data In manual.

SVC Usage by Search Type Shows which searches utilize the greatest SVC as a percentage of the total consumption.

Search types are grouped into the following categories: Acceleration, Ad hoc, Other, Scheduled, and Summarization. Understanding SVC usage by search type can help you understand spikes in ad hoc searches, or clustering of scheduled searches. See also Set limits for concurrent searches in the Splunk Cloud User Manual.

Interpret SVC usage results

See the table in the Investigate your panels section for information on keeping your SVC usage within license limits.

You can also set up an alert action (for example, send an email) to be performed when a platform alert is triggered. Go to Settings > Searches, Reports, and Alerts and click New Alert to define a new alert action.

Last modified on 30 September, 2020
PREVIOUS
Use the Usage dashboards
  NEXT
Use the Forwarder dashboards

This documentation applies to the following versions of Splunk Cloud: 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters