Update required for CMC custom dashboards and reports

As of May 2025, summary events collected by saved searches within the CMC have been updated as follows:

• All new summary data is routed to a new index, smaller called index=_cmc_summary. Previously, data was logged to index=summary.
• The _time field is corrected for CMC data that is stored in index=_internal

Access to the _cmc_summary index is restricted to users with the sc_admin role by default.

If your custom dashboards or reports rely on events from index=summary or index=_internal, follow the steps in the Call to Action to avoid disruption.

Benefits

The _cmc_summary index and the _time field correction have the following benefits:

• Improved dashboard load times for large deployments

• Faster data retrieval

• Improved SVC utilization of CMC dashboard searches when retrieving CMC summary data

• Improved storage utilization by using an internal index for CMC data

Customer dashboards and searches accessing the CMC data sources listed below from within the summary or _internal indexes must be updated to query both index=summary and index=_cmc_summary.

1. Identify all custom reports or dashboards that utilize index=summary and index=_internal to retrieve data from the following even summaries:
   • splunk-search-seconds
   • splunk-svc
   • splunk-svc-consumer
   • splunk-ingestion
   • splunk-search-count
   • splunk-storage-detail
   • splunk-storage-summary
   • splunk-entitlements
   • splunk-ddaa-detail
   • splunk-ddaa-summary
   • splunk-fss3-usage
   • splunk-federated-analytics-usage
   • splunk-federated-analytics-ingest-usage-by-svc
2. Update the SPL queries in the custom reports or dashboards by replacing index=summary and index=_internal with (index=summary OR index=_cmc_summary). This update ensures compatibility with both current and future releases.

   Example: index=summary

   From:

   CODECopy

   index=summary source="splunk-svc-consumer" svc_consumer="data services" svc_usage=* | stats max(svc_usage) as utilized_svc by _time

   index=summary source="splunk-svc-consumer" svc_consumer="data services" svc_usage=*   | stats max(svc_usage) as utilized_svc by _time

   To:

   CODECopy

   index=summary OR index=_cmc_summary source="splunk-svc-consumer" svc_consumer="data services" svc_usage=* | stats max(svc_usage) as utilized_svc by _time

   index=summary OR index=_cmc_summary source="splunk-svc-consumer" svc_consumer="data services" svc_usage=*   | stats max(svc_usage) as utilized_svc by _time

   Example: index=_internal

   From:

   CODECopy

   index=_internal type="logResults:splunk-storage-summary" | rename data.* as * | stats max(rawSizeGBCustomer) as "used" latest(activeStorageLicenseGB) as "license"

   index=_internal type="logResults:splunk-storage-summary" | rename data.* as * | stats max(rawSizeGBCustomer) as "used" latest(activeStorageLicenseGB) as "license"

   To:

   CODECopy

   index=summary OR index=_cmc_summary source="splunk-storage-summary" | stats max(rawSizeGBCustomer) as "used" latest(activeStorageLicenseGB) as "license"

   index=summary OR index=_cmc_summary source="splunk-storage-summary" | stats max(rawSizeGBCustomer) as "used" latest(activeStorageLicenseGB) as "license"

3. Confirm functionality of all modified dashboards and reports. Ensure that the correct source or text is referenced.