Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Update required for CMC custom dashboards and reports

What will change?

On May 28th, 2025, summary events collected by saved searches within the CMC will be updated with the following changes:

  • Re-routing all new summary data to a new index called index=_cmc_summary, which is currently being logged to index=summary.
  • Correction to the _time field for CMC data that is stored in index=_internal

This change will improve dashboard load times for large deployments. Access to the new _cmc_summary index will be restricted to users with the sc_admin role by default. If your custom dashboards or reports rely on events from index=summary or index=_internal, you should follow the steps outlined below, or else you may experience disruptions.

Why are we doing this change?

This change improves speed of data retrieval for CMC by using an internal Splunk index. Additionally, a minor correction is being made to the _time field for the CMC data that lives in index=_internal. These changes can improve the SVC utilization of CMC dashboard searches when retrieving CMC summary data by utilizing the new, smaller _cmc_summary index. . Furthermore, this change improves storage utilization for customers by using an internal index for CMC data.

Call to Action

Customer dashboards and searches accessing the CMC data sources listed below from within the summary or _internal indexes must be updated to query both index=summary and index=_cmc_summary.

  1. Identify all custom reports or dashboards that utilize index=summary and index=_internal to retrieve data from the following even summaries:
    • splunk-search-seconds
    • splunk-svc
    • splunk-svc-consumer
    • splunk-ingestion
    • splunk-search-count
    • splunk-storage-detail
    • splunk-storage-summary
    • splunk-entitlements
    • splunk-ddaa-detail
    • splunk-ddaa-summary
    • splunk-fss3-usage
    • splunk-federated-analytics-usage
    • splunk-federated-analytics-ingest-usage-by-svc
  2. Update the SPL queries in the custom reports or dashboards by replacing index=summary and index=_internal with (index=summary OR index=_cmc_summary). This update ensures compatibility with both current and future releases.

    Example: index=summary
    From:

    index=summary source="splunk-svc-consumer" svc_consumer="data services" svc_usage=* | stats max(svc_usage) as utilized_svc by _time

    To:

    index=summary OR index=_cmc_summary source="splunk-svc-consumer" svc_consumer="data services" svc_usage=* | stats max(svc_usage) as utilized_svc by _time


    Example: index=_internal
    From:

    index=_internal source="splunk-storage-summary" | stats max(rawSizeGBCustomer) as "used" latest(activeStorageLicenseGB) as "license

    To:

    index=summary OR index=_cmc_summary source="splunk-storage-summary" | stats max(rawSizeGBCustomer) as "used" latest(activeStorageLicenseGB) as "license

  3. Confirm functionality of all modified dashboards and reports.

Please ensure your SPL updates are finalized by May 28, 2025. On that date, the data will be rerouted to index=_cmc_summary, and timely updates are crucial for continued data access.

Last modified on 24 April, 2025
 

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406, 9.3.2408 (latest FedRAMP release), 9.3.2411

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters