Monitor current usage of your ingestion-based subscription

If your Splunk Cloud subscription plan measures the search consumption by the amount of data ingested, Splunk Cloud Platform administrators use the Ingest dashboard on the CMC to monitor usage and stay within their subscription entitlement.

Splunk Cloud Platform administrators can also use the SVC Usage panel in the Workload dashboard to view basic information about their organization's projected SVC utilization. Workload-based subscriptions use Splunk Virtual Compute (SVC) as a unit of measure. To understand the potential SVC equivalent for your ingest-based subscription, see Performance considerations in the Splunk Cloud Platform Service Description. Be sure to view the correct service description version for your Splunk Cloud Platform deployment version.

For any questions about your organization's ingest-based subscription, or to convert from an ingest-based subscription to a workload-based subscription, contact your Splunk account representative.

About the Ingest dashboard

The Ingest dashboard contains panels that display data ingestion license usage. These panels derive information from your organization's license manager and present data in a bar chart.

Note: The Daily License Usage summary panel uses the UTC timezone.
Note: The Daily License Usage summary, Daily License Usage details, and Average and Peak Daily Volume panels use daily totals event data collected from the license_usage_summary.log file when you choose No Split. When you choose a Split by option, the panels use event data collected from the license_usage.log file. If the license manager is down at its local midnight, it won't generate the events for that day, and you won't see that day's data in the panels.

Review the Ingest dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Ingest.

Chart series values are color-coded. See the key on the side of a panel for the specific values included in a chart.

Panel Description
License Entitlement The licensed limit in GB for your organization's ingest-based subscription. See the red license limit horizontal line in the Daily License Usage panel to determine if your organization's ingestion rate stays under the limit.

Shows N/A if your organization has a workload-based subscription to Splunk Cloud Platform.
Yesterday's ingest license usage Data ingestion for the previous day, measured from midnight to midnight in the UTC timezone.
Today's ingest license usage Data ingestion for the current day up to the present time, shown from midnight UTC to the current UTC time.
Total ingestion volume Data ingestion over the previous seven days, shown as a stacked bar with segments for standard ingestion, Federated Analytics: AWS Security Lake, and Promote: Amazon S3 ingestion scenarios.

The Daily ingest license usage over time chart has the following view options:

Option Description
Time range View the license usage for the current day, last 7 days, or last 30 days. All times are calculated with the UTC timezone.
Split by Select a Split by option of Source Type, Host, Source, Index, or Ingestion scenarios. The panels may show the following behavior:
  • Daily License Usage: Shows up to 11 color-coded series of the selected option. This includes the top 10 series and OTHER, a summary category that includes series not in the top 10.
  • Average and Peak Daily Volume: Shows the average and peak daily values for the top five series of the selected option.

Data may display as SQUASHED when you split by host or source. This is because every license peer periodically reports to the license manager its stats for the data indexed, broken down by source, source type, host, and index. If the number of distinct tuples (host, source, source type, index) grows beyond a configurable threshold, Splunk software squashes the host and source values and only reports a breakdown by source type and index. This is done to conserve internal resources.

Because of squashing on the other fields, only the split-by source type and index guarantee full reporting. Split by source and host do not guarantee full reporting if those two fields represent many distinct values. The panels show the entire quantity indexed, but not the names. This means that you don't know who consumed a particular amount, but you know what the amount consumed is.
Ingestion scenarios Select one or all from the available options of standard ingestion, Federated Analytics: AWS Security Lake, or Promote: Amazon S3 ingestion scenarios. Scenarios not included in your license will not be shown.
GB/% Select whether you want to view the metrics in GB or as percentages.
Show limit Include a line on the graph showing your license limit.
Chart type Choose a regular column chart or a stacked column chart.
Top 10 The top 10 items for sourcetype, index, source, host, or ingestion scenario, depending on the selection that you make in the Split by drop-down.

Interpret ingestion-based results

The series in a bar chart are individually color coded so you can analyze usage patterns and take any appropriate action. For example:

  • You set Split by to Index and see that a certain index shows an unusually high spike in usage. Investigate the cause of the spike and determine if it requires remediation.
  • You see that your daily usage and average and peak volumes are consistently close to or exceeding your license limit. Contact your Splunk account representative to upgrade your subscription.

Select any bar in the chart to view the underlying data for the bar. Be sure to not modify the underlying data in any way.

You can also set up an alert action (for example, send an email) to be performed when a platform alert is triggered. Go to Settings > Searches, Reports, and Alerts and select New Alert to define a new alert action. See also Check indexing performance.