Review the overall, search, and indexing workload panels
The next panel displays further information about your overall, search, and indexing workloads. Select the respective panel tabs to view detailed charts on specific processes. Select each workload to view its metrics.
Overall workload panel
This Overall workload • Peak SVC usage panel shows your organization's SVC usage in the context of your license entitlement.
Select from the following views:
- Overall: The highest amount of resources used in a given time interval to perform system processes such as indexing, any running search processes, and shared services.
- By process: Overall peak SVC usage split by search processes, indexing processes, and shared services.
- By tier: Peak SVC usage based on processes performed by the search head and indexing tiers.
The Top 10 apps chart shows apps that contribute to the highest search time or estimated SVC usage.
The Top 10 users chart shows users that contribute to searches with the highest search time or estimated SVC usage. These users may be human or virtual administrators.
splunk-system-user virtual administrator runs jobs and processes like summary refreshes, report accelerations, and data model accelerations on behalf of a Splunk Cloud Platform customer. Running these processes consumes SVCs. If the SVC usage of splunk-system-user seems abnormal, contact the deployment's administrator to investigate the increased consumption.Search workload panel
The Search • SVC usage panel displays search processes that occur on the search and indexing tiers. The sum of these processes equals the peak SVC usage from search processes during this time interval.
Select from the View by options to view estimated SVC usage or search time in seconds.
Select from the following Search head options:
| Search head | Description |
|---|---|
| All | Shows all search heads in your Splunk Cloud Platform deployment. This category includes all the data ingested and processed in the deployment. |
| Specific search head name | Shows data for a specific search head that is ingested, processed, and summarized in the CMC 2.9.0 and higher. |
Select from the following Split by options:
| Search head | Description |
|---|---|
| Apps | Lists a maximum of the top 10 apps and their respective search workload SVC consumption or search time. |
| Searches | Shows which searches use the most search workload SVC or search time as a percentage of the total consumption. |
| Search type | Shows search types and their search time or estimated SVC consumption. |
| Users | Lists a maximum of the top 10 users and their search workload SVC consumption or search time. These users can be human or virtual administrators. |
The Search • SVC usage tracks the following search types:
| Search type | Description |
|---|---|
| REST_API | Searches that use the Splunk REST API. See Basic concepts about the Splunk platform REST API in the Splunk Enterprise REST API user manual. |
| ad-hoc | Searches that are unscheduled and manually run. See ad hoc search. |
| dashboard | Searches run by your dashboards |
| scheduled | Searches that are saved and scheduled so they automatically run. See scheduled search. |
| scheduled realtime | Searches where the search_mode field value is realtime indexes RT Indexes for realtime indexes and the search_type field value is scheduled.
|
| summary director | Maintenance tasks that run in the background involving caching and summarization to ensure searches are processed. |
| report acceleration | Searches that are related to accelerated data models or reports. See data model acceleration, report acceleration, and How data model acceleration differs from report acceleration and summary indexing in the Splunk Enterprise Knowledge Manger Manual. |
| Other | Uncategorized usage. |
The Dispatched and skipped search count per hour chart shows the number of searches per hour that are dispatched or skipped.
Indexing workload panel
Indexing workload • usage per hour panel encompasses ingestion and indexing processes on the indexing tier. The sum of these processes equals the peak SVC usage from indexing processes during this time interval.
Select from the Split by options to view indexing processes by specific indexes or source types.
The Ingestion by hour chart shows hourly rate of ingestion. When data ingestion rates are high, the indexer consumes more resources to process and ingest data. High ingestion rates can increase SVC usage.
Interpret Workload (preview) dashboard metrics
SVC utilization is not a direct measure of your deployment health. To better understand your deployment, go to the Health dashboard and see Use the Health dashboard.
You can turn on preconfigured alerts about your workload and SVC utilization with the Alerts dashboard. See Use the Alerts dashboard to learn more.
Optimizing search and indexing processes can improve SVC utilization and might improve system performance. To learn more, see Optimize indexing and search processes.