Use the Overview dashboard
Get a summary of your deployment's most important metrics using the Cloud Monitoring Console (CMC) Overview dashboard.
Access the Overview dashboard
Use the Overview dashboard to prioritize important metrics.
- In Splunk Web, select Cloud Monitoring Console.
- Then, select Overview.
- Select the Overview dashboard link in the banner.
In the Overview dashboard, select Find in CMC to quickly find any metric or dashboard in the Cloud Monitoring Console.
Review metrics that require attention
The CMC monitors key metrics in the background, which appear under the "Attention required" section in the Overview dashboard when they reach a critical state that requires attention. Each metric card includes a tooltip with more information on the metric, and a link to its respective dashboard.
Select View or manage items to choose which metrics to track.
The CMC monitors the following key metrics in the background:
| Tracked Metric | Attention required threshold |
|---|---|
| Bucket size and range | Requires attention when more than 50% of buckets are small, less than 50% are full sized, or if 10% are quarantined. |
| Cache transfer activity | Requires attention when SmartStore download size exceeds 10% of total disk space. |
| Change freeze | Requires attention when this deployment has an upcoming change freeze that will suspend maintenance during specific dates. |
| HEC 503 errors | Requires attention when HEC errors are sustained for over 30 minutes. |
| Heavy forwarder software version | Requires attention when your heavy forwarder software version is going to expire within 15 days |
| High memory searches | Requires attention when your searches are consuming more than 10% of Splunk Cloud Platform instance memory. |
| Indexer blocked queues | Requires attention when queues are blocked across 50% or more indexers. |
| Maintenance window | Requires attention when this deployment has a scheduled maintenance window that will interrupt operation. |
| Missing forwarders | Requires attention when forwarders do not have indexer connection in the past 15 minutes. |
| Quarantined CSV lookups in SHC | Requires attention when your search head cluster quarantines a CSV lookup from replication due its file size exceeding 5 GB. |
| Skipped search percentage | Requires attention when your skipped search percentage is greater than 25%. |
| Universal forwarder software version | Requires attention when your universal forwarder is going to expire within 15 days. |
Review your top metrics
You can prioritize metrics and personalize your experience by choosing which license entitlement and status metrics to display.
Review the dashboard to get fast access to these metrics:
- View your usage levels with the status indicators displayed in each license entitlement metric.
- Refresh or open any of the metrics directly in the Search and Reporting app.
- Select Add or remove metrics to choose which metric panels to display and prioritize your top metrics. Your selection applies to your own view. Other dashboard users can make their own selections.
See the following table to learn about each metric that you can select from the Overview dashboard:
| Panel | Category | Description |
|---|---|---|
|
Overall · Peak SVC Usage |
License |
Shows your organization's overall peak Splunk Virtual Compute (SVC) usage as a single value and a percentage of your license entitlement. Overall peak SVC usage refers to the highest amount of resources used in a given time interval to perform system processes such as indexing, any running search processes, and shared services. It primarily measures the CPU usage across search and indexing workloads. Displayed by default if your deployment has this entitlement. |
|
Ingest |
License |
Shows ingest license entitlement and usage data if the deployment has an ingest-based subscription. This panel accesses the Ingest daashboard. See Monitor current usage of your ingestion-based subscription. Displayed by default if your deployment has this entitlement. |
|
Searchable storage (DDAS) |
License |
Shows deployment's searchable storage entitlement based on DDAS license and amount of searchable storage used by customer and metered internal indexes This panel accesses the Searchable storage (DDAS) dashboard. See Monitor current usage of Searchable Storage. Displayed by default if your deployment has this entitlement. |
|
Archive storage summary (DDAA) |
License |
Shows deployment's archive storage entitlement based on DDAA license and amount of archive storage used by customer and metered internal indexes. This panel accesses the Archive storage (DDAA) dashboard. See Monitor current usage of Archive Storage. Displayed by default if your deployment has this entitlement. |
|
Federated search for Amazon S3 |
License |
Shows amount of data scanning capabilities and percentage of data scanning capabilities utilized by searches during current license term. This panel accesses the Federated Search for Amazon S3 dashboard. See Monitor your Federated Search for Amazon S3 resources. Displayed by default if your deployment has this entitlement. |
|
Federated Analytics |
License |
Shows the percentage of data scan entitlement used to search your Amazon Security Lake data during the current license term. This panel accesses the Federated Analytics dashboard. See Monitor your Federated Analytics licenses Displayed by default if your deployment has this entitlement. |
| No. of active forwarders | Data collection |
A forwarder is active if it has connected to an indexer within the last 15 minutes. This panel accesses the Forwarders: Deployment dashboard. See Monitor forwarder deployments. |
| Missing forwarders |
Data collection |
A forwarder shows a status of missing if it hasn't connected to indexers within 15 minutes of its last successful connection. This panel accesses the Forwarders: Deployment dashboard. See Monitor forwarder deployments. |
|
Total ingest volume |
Data indexing |
The large number shows the amount of data ingested in GB in the previous day. The smaller number and arrow indicates the increase or decrease in data ingestion from the previous ingestion total. This panel accesses the Ingest dashboard. See Monitor current usage of your ingest-based subscription. |
| Total data parsing issues |
Data indexing |
Shows a single value of the line breaking, timestamp parsing, and aggregation issues the Splunk platform encountered when parsing your data for indexing. This panel accesses the Data quality dashboard. |
| Total indexes |
Data indexing |
Shows a snapshot of the currently active indexes that contain events. This panel accesses the Indexing performance dashboard. See Check indexing performance.
Note: You must have the indexes_edit capability to view accurate data in this panel.
|
| Indexes with events |
Data indexing |
Shows the number of indexes that have processed events. This panel accesses the Indexing performance dashboard. See Check indexing performance.
Note: You must have the indexes_edit capability to view accurate data in this panel.
|
| Splunk TCP port closures |
Data indexing |
Shows the percentage of your active indexers in the last 4 hours that have Splunk TCP port closures. For example, if you access the dashboard at 4:00 PM, this panel shows data from 12:00 through 4:00 PM. This panel accesses the Indexing performance dashboard. See Check indexing performance. |
|
Search count |
Data search |
The large number shows the number of searches performed during the previous day. For example, if you access the dashboard on June 8, this panel shows data from June 7, 12:00 AM to 11:59 PM. The smaller number and arrow indicates the increase or decrease in searches from the previous search count. This panel accesses the Search usage statistics dashboard. See Analyze search usage statistics. |
|
Scheduled skipped searches |
Data search |
Shows the percentage of your scheduled searches that encountered an issue and had to be skipped in the last hour. This panel accesses the Skipped scheduled searches dashboard. See Investigate skipped scheduled searches. |
| Long running searches |
Data search |
Shows the number of ad hoc searches in the last 4 hours that have taken more than 30 minutes to complete. This panel accesses the Search Usage Statistics dashboard Analyze search usage statistics. |
|
Indexer memory utilization |
Resource |
The percentage of an indexer's RAM that is currently being used by active processes and programs. This panel accesses the Workload dashboard. See Review the Workload Metrics tab. |
|
Indexer cache churn |
Resource |
The rate at which data is evicted from cache memory to make room for new data. This measures the cache downloaded as a percentage of total storage. A high cache churn may occur when capacity constraints or inefficient cache management prevent cache retention. This panel accesses the Workload dashboard. See Review the Workload Metrics tab. |
|
Indexer CPU Utilization |
Resource |
The amount of compute that a task requires. This panel accesses the Workload dashboard. See Review the Workload Metrics tab. |
|
Search head memory utilization |
Resource |
The percentage of the search head's RAM that active processes and programs are currently using. This panel access the Workload dashboard. See Review the Resource Metrics tab. |
|
Search head CPU utilization |
Resource |
The amount of compute that a task requires. This panel access the Workload dashboard. See Review the Resource Metrics tab. |
|
Current region |
Cross-Region Disaster Recovery |
Cloud Service Provider (CSP) region where the Splunk deployment is hosted.
Note: Cross-Region Disaster Recovery is in the Early Access release phase.
For more information, see Review Cross-Region Disaster Recovery metrics. Displayed by default if your deployment has this entitlement. |
| Earliest unreplicated data age |
Cross-Region Disaster Recovery |
The time elapsed since the oldest ingested data in the active region is waiting to be replicated to the standby region.
Note: Cross-Region Disaster Recovery is in the Early Access release phase.
For more information, see Review Cross-Region Disaster Recovery metrics. Displayed by default if your deployment has this entitlement. |
|
Total unreplicated data size |
Cross-Region Disaster Recovery |
The size of ingested data from the active region that did not replicate to the standby region.
Note: Cross-Region Disaster Recovery is in the Early Access release phase.
For more information, see Review Cross-Region Disaster Recovery metrics. Displayed by default if your deployment has this entitlement. |
Review the Cross-Region Disaster Recovery metrics
If your deployment includes the Cross-Region Disaster Recovery entitlement, the Overview dashboard displays panels that inform you about which AWS region your stack is connected to and metrics on data that has not been replicated to your secondary region. You can add these Cross-Region Disaster Recovery panels to the Top metrics section of the Overview dashboard.
To learn more about Cross-Region disaster recovery, see About Cross-Region Disaster Recovery on Splunk Cloud Platform.
Get optimization resources
See the Optimization resources section at the bottom of the dashboard for more information on how to optimize deployment resources.
Interpret these results
Because the Overview dashboard provides a high-level view of the overall health of your deployment, investigate any anomalous spikes or dips and take the necessary mitigation action. For example, if you see a sudden increase in skipped scheduled searches, audit these searches to determine the cause and correct any issues.
See Use the Health dashboard to further investigate and learn more about the overall health of your deployment and its data collection, indexing, and search performance.