Monitor current usage of Archive Storage (DDAA)

This dashboard shows comprehensive Dynamic Data Active Archive (DDAA) license usage data so Splunk Cloud Platform administrators can ensure their organization stays within its licensed subscription limits.

About the Archive Storage (DDAA) dashboard

Dynamic Data Active Archive (DDAA) is used as a long term storage and data in DDAA can be restored to DDAS to be searched. For Splunk Cloud Platform administrators, this dashboard shows information about your archived data for indexes that are enabled with DDAA. Review the information to ensure that you are staying within your subscribed limits for data ingestion and retention. The displayed data updates every time you access or refresh the dashboard in the CMC app. For more information, see Store expired Splunk Cloud Platform data to a Splunk-managed archive.

Your organization must have enabled DDAA as part of its Splunk Cloud Platform subscription to see data in this dashboard. For more information, see the Dynamic Data Active Archive (DDAA) section in the Storage section of the Splunk Cloud Platform Service Description. If you exceed your storage requirements by ingesting more data than your initial estimate, Splunk Cloud Platform service elastically expands the amount of storage to retain your data per your retention settings. Periodically, Splunk will review and charge your account for any overages.

Note: The Archive Storage (DDAA) dashboard provides insights into your data retention based on the uncompressed data you have indexed.

Review the Archive Storage (DDAA) dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Archive Storage (DDAA).

Panel Description
Archive Storage Entitlement Shows the amount of your archive storage entitlement.
Archive Storage Usage Shows the total amount of archive storage currently used by all applicable indexes.
Archive Storage Usage Percent Shows the percentage of usage compared to your DDAA license entitlement.

The value displays in the following colors to indicate status:

  • Green: Usage is well under the entitlement limit.
  • Yellow: Usage is at or above 80% of the entitlement limit.
  • Red: Usage at or above 90% and close to exceeding the entitlement limit.
Archive Storage Usage Against Entitlement Shows the amount of archive storage used by all applicable indexes compared to your entitlement limit.

This bar chart is the visualization for the Archive Storage Usage panel.

Archive Storage Usage by Top 10 Indexes Shows your Top 10 indexes that are high consumers of archive storage.
Data Archive and Restoration Summary Shows a summary of restoration activity for all of your deployment's indexes that are enabled with the DDAA feature from the last 90 days. The 90-day count is up to midnight of the previous day from when you accessed the dashboard. This means if you access the dashboard on January 1 at 9:00 AM, the 90th day of data is December 31 at 11:59 PM.

These totals in GB show the amount of uncompressed (raw) data in the following categories:

  • Total Size Restored GB: Copied archive data that has been temporarily restored to an index. Restored data expires from searchable storage after 30 days.
  • Total Size Cleared GB: Restored data that has been manually removed from an index. This data has a Jobstatus of Cleared.
  • Total Size Expired GB: Data that has been automatically removed from searchable storage as it has passed the 30-day retention period. This data has a Jobstatus of Expired

The displayed totals depend on the data you have selected to restore or clear and also the conditions and limitations of the restoration process, as follows:

  • The archival and restoration process is complete.
  • The data doesn't overlap with other data.
  • The data size doesn't cause performance issues.

For more information, see the following in the the Splunk Cloud Platform Admin Manual:

Index Storage Usage Details Provides a tabular overview of archive storage details per index that lists the following information:
  • Archived index name
  • Timestamps formatted in UTC for the earliest and latest archived events
  • 90-day data growth and expiration data in GB
  • Current usage amount in GB

Interpret your archive storage results

  • Compare the archive usage against the entitlement and the growth against the expiration. If the usage and the growth consistently exceed the entitlement and the expiration, this indicates the following:
    • You must re-evaluate your index ingestion and retention settings. See the topics listed in the See also section on how to manage indexes and DDAA settings.
    • You may need to upgrade your subscription to better handle your true data ingest and retention rates. Contact your Splunk account representative for help.
  • Review the restoration totals and determine if the amount of data restored, cleared, and expired in your deployment meets or exceeds your organization's actual requirements. For example, a high total for restored data or low total for cleared or expired data may indicate the need to re-evaluate your index management policies and procedures. Ensure that you are restoring and retaining only the data that your organization truly needs.
  • Be sure to convert event timestamps from UTC to your local time when analyzing the data in the Index Storage Usage Details table.

See also

For more information about See
Splunk Cloud Platform data retention policies and available storage subscriptions Storage
Managing your indexes, including searchable and archive storage The Manage your Indexes and Data in Splunk Cloud Platform section in the Splunk Cloud Platform Admin Manual