Splunk® Light

Installation Manual

Download manual as PDF

This documentation does not apply to the most recent version of SplunkLight. Click here for the latest version.
Download topic as PDF

Share data in Splunk Light

You can opt in to automatically share certain data about your license usage and deployment performance with Splunk Inc ("Splunk"). Splunk uses this data to make decisions about future product development.

Splunk apps and add-ons

In addition to the data enumerated in this topic, certain apps or add-ons might collect additional data. Check the documentation for the apps and add-ons that you have installed on your instance.

For example, the Splunk App for AWS collects additional usage data. See Sending usage data to Splunk for the Splunk App for AWS for details.

Opt in or out of sharing usage data

The first time you run Splunk Light as an admin or equivalent, you are presented with a modal that has the following two selectable check boxes:

  • Help make Splunk software better! I authorize collection of anonymized information about software usage so Splunk can improve its products and services.
  • Get better Support! I authorize collection of information about software usage so Splunk can provide improved support and services for my deployment. Data will be linked to my account based on my installed licenses.

You can choose to send both, either, or neither of two types of usage data:

  • License usage data describing your active licenses and the amount of data you index.
  • Anonymized usage data about your deployment performance and usage, including session data.
  1. Select or deselect the check boxes to indicate your data sharing preferences.
  2. Click either Skip or OK.
    Option Description
    Skip Suppresses the modal permanently for the user who clicks Skip. Use this option to defer the decision to a different admin.
    OK Confirm your choices and suppress the modal permanently for all users.

Neither category of usage data is sent unless you click OK with one or both boxes checked. You can opt in or out at any time by navigating to System > Instrumentation.

If you opt out, the searches that gather the data on your system do not run, and no usage data is sent.

What usage data is collected

View non-session usage data

For license usage data, the anonymized usage data that is not session data, and the Support usage data that is not session data, you can view what data has been recently sent in Splunk Web.

  1. Navigate to System > Instrumentation.
  2. Click the category of data you wish to view in Search.

This log of data is available only after the first run of the collection. To inspect the type of data that gets sent before you opt in on your production environment, you can opt in on your sandbox environment.

View session data

To view the remaining anonymized or Support usage data, the session data, use JavaScript logging in your browser. Look for network events sent to a URL containing splkmobile. Events are triggered by actions such as navigating to a new page in Splunk Web.

The tables below describe the data collected if you opt in to both usage data programs and do not turn off update checker. The usage data is in JSON format tagged with a field named component.

Types of data collected by Splunk Light

Splunk Light can collect the following types of data:


Note that additional data might be collected by certain apps or add-ons. See the app or add-on documentation for details.

Anonymized or Support usage data

Description Components Note
Active license group and subgroup, total license stack quota, license pool quota, license pool consumption, total license consumption, license stack type licensing.stack
License IDs licensing.stack Sent for license usage reporting as well as anonymized and Support reporting, but persisted only for users opting in to license usage or Support reporting.
Host name of an indexer, replication factor and search factor for indexer cluster deployment.clustering.indexer
Indexer cluster member deployment.clustering.member Collected by a search running on the cluster master.
Indexer cluster search head deployment.clustering.searchhead Collected by a search running on the cluster master.
Number of hosts, number of Splunk software instances, OS/version, CPU architecture, Splunk software version, distribution of forwarding volume deployment.forwarders Collected for forwarders.
Distributed search peers deployment.distsearch.peer Collected by a search running on a search head captain or, in the absence of a search head cluster, a search head.
Indexes per search peer deployment.index Collected by a search running on a search head cluster captain or, in the absence of a search head cluster, a search head.
License slaves deployment.licensing.slave Collected by a search running on the license master.
GUID, host, number of cores by type (virtual/physical), CPU architecture, memory size, storage (partition) capacity, OS/version, Splunk version deployment.node For each indexer or search head.
Core utilization, storage utilization, memory usage, indexing throughput, search latency deployment.node performance.indexing performance.search
Search head cluster members deployment.shclustering.member Collected by a search running on the search head captain.
Indexing volume, number of events, number of hosts, source type name usage.indexing.sourcetype
Number of active users usage.users.active
Number of searches of each type, distribution of concurrent searches usage.search.type usage.search.concurrent
Apps installed on search head and search peers deployment.app Collected by a search running on a search head cluster captain or, in the absence of a search head cluster, a search head.
App name, page name, locale, number of users, number of page loads usage.app.page Session data.
deploymentID (identifier for deployment), eventID (identifier for this specific event), experienceID (identifier for this session), userID (hashed username), data.guid (GUID for instance serving the page) app.session.session_start Session data. Triggered when user is first authenticated.
Page views app.session.pageview Session data. Triggered when user visits a new page.
Dashboard characteristics app.session.dashboard.pageview Session data. Triggered when a dashboard is loaded.
Pivot characteristics app.session.pivot.load Session data. Triggered when a pivot is loaded.
Pivot changes app.session.pivot.interact Session data. Triggered when a change is made to a pivot.
Search page interaction app.session.search.interact Session data. Triggered with interaction with search page.

License usage data

Description Component(s) Note
Active license group and subgroup, total license stack quota, total license pool consumption, license stack type, license pool quota, license pool consumption licensing.stack
License IDs licensing.stack Sent for both reporting types, but persisted only for users opting in to license usage reporting.

Data samples

Anonymized, Support, and license usage data is sent to Splunk as a JSON packet that includes a few pieces of information like component name and deployment ID, in addition to the data for the specific component. Here is an example of a complete JSON packet:

{
  "component": "deployment.app",
  "data": {
    "name": "alert_logevent",
    "enabled": true,
    "version": "7.0.0",
    "host": "ip-10-222-17-130"
  },
  "visibility": "anonymous,support",
  "timestamp": 1502845738,
  "date": "2017-08-15",
  "transactionID": "01AFCDA0-2857-423A-E60D-483007F38C1A",
  "executionID": "2A8037F2793D5C66F61F5EE1F294DC",
  "version": "2",
  "deploymentID": "9a003584-6711-5fdc-bba7-416de828023b"
}

For ease of use, the following tables show examples of only the "data" field from the JSON event.

Anonymized or Support usage data

Click Expand to view examples of the data that is collected.

Component Data category Example
deployment.app Apps installed on search head and peers
{
    "name": "alert_logevent",
    "enabled": true,
    "version": "7.0.0",
    "host": "ip-10-222-17-130"
  }
deployment.clustering.indexer Clustering configuration
{
    "host": "docteam-unix-5",
    "summaryReplication": true,
    "siteReplicationFactor": null,
    "enabled": true,
    "multiSite": false,
    "searchFactor": 2,
    "siteSearchFactor": null,
    "timezone": "-0700",
    "replicationFactor": 3
}
deployment.clustering.member Indexer cluster member
  {
    "site": "default",
    "master": "ip-10-212-28-184",
    "member": {
      "status": "Up",
      "guid": "471A2F25-CD92-4250-AA17-4E49819B897A",
      "host": "ip-10-212-28-4"
    }
  }
deployment.clustering.searchhead Indexer cluster search head
{
    "site": "default",
    "master": "ip-10-222-27-244",
    "searchhead": {
      "status": "Connected",
      "guid": "1D4D422A-ADDE-437D-BA07-2B0C319D23BA",
      "host": "ip-10-212-55-3"
    }
  }
deployment.distsearch.peer Distributed search peers
{
    "peer": {
      "status": "Up",
      "guid": "472A5F22-CC92-4220-AA17-4E48919B897A",
      "host": "ip-10-222-21-4"
    },
    "host": "ip-10-222-27-244"
  }
deployment.forwarders Forwarder architecture, forwarding volume
{
    "hosts": 168,
    "instances": 497,
    "architecture": "x86_64",
    "os": "Linux",
    "splunkVersion": "6.5.0",
    "type": "uf",
    "bytes": {
        "min": 389,
        "max": 2291497,
        "total": 189124803,
        "p10": 40960,
        "p20": 139264,
        "p30": 216064,
        "p40": 269312,
        "p50": 318157,
        "p60": 345088,
        "p70": 393216,
        "p80": 489472,
        "p90": 781312
    }
}
deployment.index Indexes per search peer
{
    "name": "_audit",
    "type": "events",
    "total": {
      "rawSizeGB": null,
      "maxTime": 1502845730.0,
      "events": 1,
      "maxDataSizeGB": 488.28,
      "currentDBSizeGB": 0.0,
      "minTime": 1502845719.0,
      "buckets": 0
    },
    "host": "ip-10-222-17-130",
    "buckets": {
      "thawed": {
        "events": 0,
        "sizeGB": 0.0,
        "count": 0
      },
      "warm": {
        "sizeGB": 0.0,
        "count": 0
      },
      "cold": {
        "events": 0,
        "sizeGB": 0.0,
        "count": 0
      },
      "coldCapacityGB": "unlimited",
      "hot": {
        "sizeGB": 0.0,
        "max": 3,
        "count": 0
      },
      "homeEventCount": 0,
      "homeCapacityGB": "unlimited"
    },
    "app": "system"
  }
}
deployment.licensing.slave License slaves
{
    "master": "9d5c20b4f7cc",
    "slave": {
      "pool": "auto_generated_pool_enterprise",
      "guid": "A5FD9178-2E76-4149-9FGF-55DCE35E38E7",
      "host": "9d5c20b4f7cc"
    }
  }
deployment.node Host architecture, utilization
{  
    "guid": "123309CB-ABCD-4BC9-9B6A-185316600F23",
    "host": "docteam-unix-3",
    "os": "Linux",
    "osExt": "Linux",
    "osVersion": "3.10.0-123.el7.x86_64",
    "splunkVersion": "6.5.0",
    "cpu": {  
        "coreCount": 2,
        "utilization": {  
            "min": 0.01,
            "p10": 0.01,
            "p20": 0.01,
            "p30": 0.01,
            "p40": 0.01,
            "p50": 0.02,
            "p60": 0.02,
            "p70": 0.03,
            "p80": 0.03,
            "p90": 0.05,
            "max": 0.44
        },
        "virtualCoreCount": 2,
        "architecture": "x86_64"
    },
    "memory": {  
        "utilization": {  
            "min": 0.26,
            "max": 0.34,
            "p10": 0.27,
            "p20": 0.28,
            "p30": 0.28,
            "p40": 0.28,
            "p50": 0.29,
            "p60": 0.29,
            "p70": 0.29,
            "p80": 0.3,
            "p90": 0.31
        },
        "capacity": 3977003401
    },
    "disk": {  
        "fileSystem": "xfs",
        "capacity": 124014034944,
        "utilization": 0.12
    }
}
depoyment.shclustering.member
{
    "site": "default",
    "member": {
      "status": "Up",
      "guid": "290C48B1-50D3-48C9-AF86-14F43000CC5C",
      "host": "ip-10-222-19-223"
    },
    "captain": "ip-10-222-19-253"
  }
licensing.stack Licensing quota and consumption
{
    "type": "download-trial",
    "guid": "4F735357-F278-4AD2-BBAB-139A85A75DBB",
    "product": "enterprise",
    "name": "download-trial",
    "licenseIDs": [
        "553A0D4F-3B7B-4AD5-B241-89B94386A07F"
    ],
    "quota": 524288000,
    "pools": [
        {
            "quota": 524288000,
            "consumption": 304049405
        }
    ],
    "consumption": 304049405,
    "subgroup": "Production",
    "host": "docteam-unix-9"
}
performance.indexing Indexing throughput and volume
{
    "host": "docteam-unix-5",
    "thruput": {
        "min": 412,
        "max": 9225,
        "total": 42980219,    
        "p10": 413,
        "p20": 413,
        "p30": 431,
        "p40": 450,
        "p50": 474,
        "p60": 488,
        "p70": 488,
        "p80": 488,
        "p90": 518
    }
}
performance.search Search runtime statistics
{
    "latency": {
        "min": 0.01,
        "max": 1.33,
        "p10": 0.02,
        "p20": 0.02,
        "p30": 0.05,
        "p40": 0.16,
        "p50": 0.17,
        "p60": 0.2,
        "p70": 0.26,        
        "p80": 0.34,
        "p90": 0.8
    }
}
app.session.dashboard.pageview Dashboard characteristics, triggered when a dashboard is loaded.
{
        "dashboard": {
            "autoRun": false,
            "hideEdit": false,
            "numCustomCss": 0,
            "isVisible": true,
            "numCustomJs": 0,
            "hideFilters": false,
            "hideChrome": false,
            "hideAppBar": false,
            "hideFooter": false,
            "submitButton": false,
            "refresh": 0,
            "hideSplunkBar": false,
            "hideTitle": false,
            "isScheduled": false
        },
        "numElements": 1,
        "numSearches": 1,
        "numPanels": 1,
        "elementTypeCounts": {
            "column": 1
        },
        "layoutType": "row-column-layout",
        "searchTypeCounts": {
            "inline": 1
        },
        "name": "test_dashboard",
        "numFormInputs": 0,
        "formInputTypeCounts": {},
        "numPrebuiltPanels": 0,
        "app": "search"
    }
}
app.session.pivot.interact Changes to pivots. Generated when a change to a pivot is made.
{
        "eventAction": "change",
        "eventLabel": "Pivot - Report Content",
        "numColumnSplits": 0,
        "reportProps": {
            "display.visualizations.charting.legend.placement": "none",
            "display.visualizations.type": "charting",
            "earliest": "0",
            "display.statistics.show": "1",
            "display.visualizations.charting.chart": "column",
            "display.visualizations.charting.axisLabelsX.majorLabelStyle.rotation": "-90",
            "display.visualizations.show": "1",
            "display.general.type": "visualizations"
        },
        "numRowSplits": 1,
        "eventCategory": "PivotEditorReportContent",
        "app": "search",
        "page": "pivot",
        "numAggregations": 1,
        "numCustomFilters": 0,
        "eventValue": {},
        "locale": "en-US",
        "context": "pivot"
    }
app.session.pivot.load
{
        "eventAction": "load",
        "eventLabel": "Pivot - Page",
        "numColumnSplits": 0,
        "reportProps": {
            "display.visualizations.charting.legend.placement": "none",
            "display.visualizations.type": "charting",
            "earliest": "0",
            "display.statistics.show": "1",
            "display.visualizations.charting.chart": "column",
            "display.visualizations.show": "1",
            "display.general.type": "visualizations"
        },
        "numRowSplits": 1,
        "eventCategory": "PivotEditor",
        "app": "search",
        "page": "pivot",
        "numAggregations": 1,
        "numCustomFilters": 0,
        "locale": "en-US",
        "context": "pivot"
    }
app.session.search.interact
app.session.pageview
{
        "app": "launcher",
        "page": "home"
    }
app.session.session_start
{
        "app": "launcher",
        "splunkVersion": "6.6.0",
        "os": "Ubuntu",
        "browser": "Firefox",
        "browserVersion": "38.0",
        "locale": "en-US",
        "device": "Linux x86_64",
        "osVersion": "not available",
        "page": "home",
        "guid": "2550FC44-64E5-43P5-AS44-6ABD84C91E42"
    }
usage.app.page App page users and views
{
    "app": "search",
    "locale": "en-US",
    "occurrences": 1,
    "page": "datasets",
    "users": 1
}
usage.indexing.sourcetype Indexing by source type
{
    "name": "vendor_sales",
    "bytes": 2026348,
    "events": 30245,
    "hosts:" 1
}
usage.search.concurrent Search concurrency
{
    "host": "docteam-unix-5"
    "searches": {
        "min": 1,
        "max": 11,
        "p10": 1,
        "p20": 1,
        "p30": 1,
        "p40": 1,
        "p50": 1,
        "p60": 1,
        "p70": 1,
        "p80": 2,
        "p90": 3
    }
}
usage.search.type Searches by type
{
    "ad-hoc": 1428,
    "scheduled": 225
}
usage.users.active Active users
{
    "active": 23
}

License usage data

Click Expand to view examples of the data that is collected.

Component Data category Example
licensing.stack Licensing quota and consumption
{
    "type": "download-trial",
    "guid": "4F735357-F278-4AD2-BBAB-139A85A75DBB",
    "product": "light",
    "name": "download-trial",
    "licenseIDs": [
        "553A0D4F-3B7B-4AD5-B241-89B94386A07F"
    ],
    "quota": 524288000,
    "pools": [
        {
            "quota": 524288000,
            "consumption": 304049405
        }
    ],
    "consumption": 304049405,
    "subgroup": "Production",
    "host": "docteam-unix-9"
}

What data is not collected

The following kinds of data are not collected:

  • Unhashed usernames or passwords.
  • Indexed data that you ingest into your Splunk platform instance.

How usage data is handled

When you enable instrumentation, usage data is transported directly to Splunk through its MINT infrastructure. Data received is securely stored within on-premises servers at Splunk with restricted access.

Anonymized usage data is aggregated, and is used by Splunk to analyze usage patterns so that Splunk can improve its products and benefit customers. License IDs collected are used only to verify that data is received from a valid Splunk product and persisted only for users opting into license usage reporting. These license IDs help Splunk analyze how different Splunk products are being deployed across the population of users and are not attached to any anonymized usage data.

See the Splunk Privacy Policy for more information.

Why send license usage data

Certain license programs require that you report your license usage. The easiest way to do this is to opt in to automatically send this information to Splunk.

If you do not opt in to automatic license data sharing, you can send this data manually. On a search head, log into Splunk Web. Select System > Instrumentation and follow the instructions for exporting the data to your local directory.

Feature footprint

Anonymized usage and license usage data is summarized and sent once per day, starting at 3:05 a.m.

Session data is sent from your browser as the events are generated. The performance implications are negligible.

In order for your Splunk Light deployment to send data to Splunk, it must be connected to the internet with no firewall rules or proxy server configurations that prevent outbound traffic to https://quickdraw.splunk.com/telemetry/destination or https://*.api.splkmobile.com. If necessary, whitelist these URLs for outbound traffic.

About searches

If you opt in to anonymized usage and license usage data reporting, your Splunk Light deployment collects data through ad hoc searches. All searches run in sequence, starting at 3:05 a.m. All searches are triggered with a scripted input. See Configure the priority of scheduled reports in the Splunk Enterprise Reporting Manual.

Instrumentation in the Splunk Light file system

After the searches run, the data is packaged and sent to Splunk, as well as indexed to the _telemetry index. The _telemetry index is retained for two years by default and is limited in size to 256 MB.

The instrumentation app resides in the file system at $SPLUNK_HOME/etc/apps/splunk_instrumentation.

PREVIOUS
Customize the Splunk Light login page
  NEXT
About Splunk Light licensing

This documentation applies to the following versions of Splunk® Light: 7.0.0, 7.0.1, 7.0.2, 7.0.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters