Monitor current usage of your ingestion-based subscription

If your Splunk Cloud subscription plan measures the search workload consumption by the amount of data ingested, Splunk Cloud Platform administrators use the Ingest dashboard on the CMC to monitor usage and stay within their subscription entitlement.

Splunk Cloud Platform administrators can also use the SVC Usage panel in the Workload dashboard to view basic information about their organization's projected SVC utilization. Workload-based subscriptions use Splunk Virtual Compute (SVC) as a unit of measure. To understand the potential SVC equivalent for your ingest-based subscription, see Performance considerations in the Splunk Cloud Platform Service Description. Be sure to view the correct service description version for your Splunk Cloud Platform deployment version.

For any questions about your organization's ingest-based subscription, or to convert from an ingest-based subscription to a workload-based subscription, contact your Splunk account representative.

About the Ingest dashboard

The Ingest dashboard contains four panels visible to Splunk Cloud Platform administrators:

  • License Entitlement shows the licensed limit in GB for your organization's ingest-based subscription. This entitlement also displays as a red horizontal line in the Daily License Usage panel.
  • Daily License Usage summary, Daily License Usage details, and Average and Peak Daily Volume show data ingestion in GB over a 30-day time range. These panels derive information from your organization's license manager and present data in a bar chart.
    • To view split-by details from the Daily License Usage summary or Daily License Usage details panels, click and drag an area of the panel to focus on a time range. Then use the Split by drop-down list to split the displayed results by host, index, source, or source type.

Note: The Daily License Usage summary panel uses the UTC timezone. The Daily License Usage details panel uses the timezone that your Splunk Cloud Platform instance is set to. You might see a discrepancy between the panels if your Splunk Cloud Platform instance timezone is not set to UTC.

Note: The Daily License Usage summary, Daily License Usage details, and Average and Peak Daily Volume panels use daily totals event data collected from the license_usage_summary.log file when you choose No Split. When you choose a Split by option, the panels use event data collected from the license_usage.log file. If the license manager is down at its local midnight, it won't generate the events for that day, and you won't see that day's data in the panels.

Review the Ingest dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Ingest.

Chart series values are color-coded. See the key on the side of a panel for the specific values included in a chart.

Filter option Description
License Entitlement Shows the licensed limit in GB for your organization's ingest-based subscription. See the red license limit horizontal line in the Daily License Usage panel to determine if your organization's ingestion rate stays under the limit.

Shows N/A if your organization has a workload-based subscription to Splunk Cloud Platform.

No Split The panels show license volume and usage data for all data pools.
Split by value Select a Split by option of Source Type, Host, Source, or Index. The panels may show the following behavior:
  • Daily License Usage: Shows up to 11 color-coded series of the selected option. This includes the top 10 series and OTHER, a summary category that includes series not in the top 10.
  • Average and Peak Daily Volume: Shows the average and peak daily values for the top five series of the selected option.

Data may display as SQUASHED when you split by host or source. This is because every license peer periodically reports to the license manager its stats for the data indexed, broken down by source, source type, host, and index. If the number of distinct tuples (host, source, source type, index) grows beyond a configurable threshold, Splunk software squashes the host and source values and only reports a breakdown by source type and index. This is done to conserve internal resources.

Because of squashing on the other fields, only the split-by source type and index guarantee full reporting. Split by source and host do not guarantee full reporting if those two fields represent many distinct values. The panels show the entire quantity indexed, but not the names. This means that you don't know who consumed a particular amount, but you know what the amount consumed is.

Interpret ingestion-based results

The series in a bar chart are individually color coded so you can analyze usage patterns and take any appropriate action. For example:

  • You set Split by to Index and see that a certain index shows an unusually high spike in usage. Investigate the cause of the spike and determine if it requires remediation.
  • You see that your daily usage and average and peak volumes are consistently close to or exceeding your license limit. Contact your Splunk account representative to upgrade your subscription.

Select any bar in the chart to view the underlying data for the bar. Be sure to not modify the underlying data in any way.

You can also set up an alert action (for example, send an email) to be performed when a platform alert is triggered. Go to Settings > Searches, Reports, and Alerts and select New Alert to define a new alert action. See also the Determine retention usage and set an alert section in Interpret index and storage capacity results in the Splunk Cloud Platform Admin Manual.