Use the License Usage dashboards

The License Usage dashboards enable Splunk Cloud Platform administrators to monitor their Splunk Cloud Platform subscription entitlement and ensure they don't exceed their license limits:

  • Entitlements: An overview of all of your organization's subscription entitlements.

  • Ingest: Monitor data ingestion usage. Requires an ingest-based subscription that measures by the amount of data ingested.

  • Workload: Monitor Splunk Virtual Compute (SVC) usage. Requires a workload-based subscription that measures by SVC units.

  • Storage summary: View usage data for searchable and archive storage license.

  • Searchable storage (DDAS): Monitor Dynamic Data Active Searchable (DDAS) license usage.

  • Archive storage (DDAA): Monitor Dynamic Data Active Archive (DDAA) license usage.

  • Federated Search for Amazon S3: Monitor data scan entitlement usage. Requires a Federated Search for Amazon S3 license.

  • Federated Analytics: Monitor data ingestion and Data Scan Units (DSUs) usage. Requires a Federated Analytics license.

  • Ingest Processor: Configure data flows, control data format, apply transformation rules prior to indexing, and route to destinations. Requires an Ingest Processor license.

  • AI Assistant: Monitor usage, track trends, and identify key skills and users. Requires an AI Assistant license.

To access the License Usage dashboards at any time from within CMC, you can click the License Usage link in the navigation bar. Select the dashboard that you want to view from the menu.

For more detailed information about the different subscription types, see the Splunk Cloud Platform Service Description. Be sure to choose the correct service description version for your Splunk Cloud Platform deployment from the Version drop-down menu.

For more information about your organization's particular subscription entitlement, or to convert from an ingest-based subscription to a workload-based subscription, contact your Splunk account representative.

Splunk Cloud Platform retains data based on index settings that enable you to specify when data is to be deleted. Data retention capacity space in your Splunk Cloud Platform service is based on the volume of uncompressed data that you want to index on a daily basis.

Storage is based on your subscription type. You can also purchase additional data retention capacity. For more information, see the following information in the Splunk Cloud Platform Service Description:

For more information about creating and managing Splunk Cloud Platform indexes, see Manage Splunk Cloud Indexes in the Splunk Cloud Platform Admin Manual.

Note: A blue progress bar might appear above a panel, indicating that the Splunk platform is still generating data. Wait for the bar to disappear before reviewing the panel.
CAUTION: Do not modify any Cloud Monitoring Console (CMC) dashboard. Changing any of the search criteria, formatting, or layouts may cause inaccurate results and also override the automatic update process.

Monitor your entitlements

Splunk Cloud Platform administrators use the Entitlements dashboard on the CMC to review the entitlement limits for their organization's subscription.

The panels show numerical values for the following entitlement limits:

  • <variable> License Entitlement: Ingest or Workload, based on your subscription type.
  • Archive storage: Dynamic Data Active Archive (DDAA)

  • Restored entitlement: Entitlement limit for DDAA restores.

  • Searchable storage: Dynamic Data Active Searchable (DDAS)

  • Data scan entitlement - Federated search for Amazon S3

  • Data scan entitlement - Federated analytics

Entitlement limits are specific to and based on your organization's unique requirements for ingesting and storing data with Splunk Cloud Platform. In particular, searchable and archive storage limits are specific to your Splunk Cloud Platform subscription because your organization may opt to purchase additional storage. For more information, see the following:

Review the Entitlement dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Entitlement.

Panel Description
<variable> License Entitlement Shows Workload License Entitlement and total number of SVCs if your organization has a workload-based subscription.

Shows Ingest License Entitlement and ingest limit in GB if your organization has an ingest-based subscription.
Searchable Storage (DDAS) Entitlement Shows your Dynamic Data Active Searchable (DDAS) storage entitlement in GB.
Archive Storage (DDAA) Entitlement Shows your Dynamic Data Active Archive (DDAA) entitlement in GB. Shows N/A if this isn't applicable for your organization's subscription.
Restored entitlement Shows your entitlement limit for DDAA restores.
Data scan entitlement for Federated Search for Amazon S3 Shows your amount of data scan entitlement available. If your organization doesn't have a license for Federated Search for Amazon S3, this panel is not visible.
Data scan entitlement for Federated Analytics Shows your amount of data scan entitlement available. If your organization doesn't have a license for Federated Analytics, this panel is not visible.

Interpret the entitlement results

Because entitlement limits are determined by your organization's Splunk Cloud Platform subscription, contact your Splunk account representative with any questions about the displayed values.

Monitor current usage of your ingestion-based subscription

If your Splunk Cloud subscription plan measures the search consumption by the amount of data ingested, Splunk Cloud Platform administrators use the Ingest dashboard on the CMC to monitor usage and stay within their subscription entitlement.

Splunk Cloud Platform administrators can also use the SVC Usage panel in the Workload dashboard to view basic information about their organization's projected SVC utilization. Workload-based subscriptions use Splunk Virtual Compute (SVC) as a unit of measure. To understand the potential SVC equivalent for your ingest-based subscription, see Performance considerations in the Splunk Cloud Platform Service Description. Be sure to view the correct service description version for your Splunk Cloud Platform deployment version.

For any questions about your organization's ingest-based subscription, or to convert from an ingest-based subscription to a workload-based subscription, contact your Splunk account representative.

About the Ingest dashboard

The Ingest dashboard contains panels that display data ingestion license usage. These panels derive information from your organization's license manager and present data in a bar chart.

Note: The Daily License Usage summary panel uses the UTC timezone.
Note: The Daily License Usage summary, Daily License Usage details, and Average and Peak Daily Volume panels use daily totals event data collected from the license_usage_summary.log file when you choose No Split. When you choose a Split by option, the panels use event data collected from the license_usage.log file. If the license manager is down at its local midnight, it won't generate the events for that day, and you won't see that day's data in the panels.

Review the Ingest dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Ingest.

Chart series values are color-coded. See the key on the side of a panel for the specific values included in a chart.

Panel Description
License Entitlement The licensed limit in GB for your organization's ingest-based subscription. See the red license limit horizontal line in the Daily License Usage panel to determine if your organization's ingestion rate stays under the limit.

Shows N/A if your organization has a workload-based subscription to Splunk Cloud Platform.
Yesterday's ingest license usage Data ingestion for the previous day, measured from midnight to midnight in the UTC timezone.
Today's ingest license usage Data ingestion for the current day up to the present time, shown from midnight UTC to the current UTC time.
Total ingestion volume Data ingestion over the previous seven days, shown as a stacked bar with segments for standard ingestion, Federated Analytics: AWS Security Lake, and Promote: Amazon S3 ingestion scenarios.

The Daily ingest license usage over time chart has the following view options:

Option Description
Time range View the license usage for the current day, last 7 days, or last 30 days. All times are calculated with the UTC timezone.
Split by Select a Split by option of Source Type, Host, Source, Index, or Ingestion scenarios. The panels may show the following behavior:
  • Daily License Usage: Shows up to 11 color-coded series of the selected option. This includes the top 10 series and OTHER, a summary category that includes series not in the top 10.
  • Average and Peak Daily Volume: Shows the average and peak daily values for the top five series of the selected option.

Data may display as SQUASHED when you split by host or source. This is because every license peer periodically reports to the license manager its stats for the data indexed, broken down by source, source type, host, and index. If the number of distinct tuples (host, source, source type, index) grows beyond a configurable threshold, Splunk software squashes the host and source values and only reports a breakdown by source type and index. This is done to conserve internal resources.

Because of squashing on the other fields, only the split-by source type and index guarantee full reporting. Split by source and host do not guarantee full reporting if those two fields represent many distinct values. The panels show the entire quantity indexed, but not the names. This means that you don't know who consumed a particular amount, but you know what the amount consumed is.
Ingestion scenarios Select one or all from the available options of standard ingestion, Federated Analytics: AWS Security Lake, or Promote: Amazon S3 ingestion scenarios. Scenarios not included in your license will not be shown.
GB/% Select whether you want to view the metrics in GB or as percentages.
Show limit Include a line on the graph showing your license limit.
Chart type Choose a regular column chart or a stacked column chart.
Top 10 The top 10 items for sourcetype, index, source, host, or ingestion scenario, depending on the selection that you make in the Split by drop-down.

Interpret ingestion-based results

The series in a bar chart are individually color coded so you can analyze usage patterns and take any appropriate action. For example:

  • You set Split by to Index and see that a certain index shows an unusually high spike in usage. Investigate the cause of the spike and determine if it requires remediation.
  • You see that your daily usage and average and peak volumes are consistently close to or exceeding your license limit. Contact your Splunk account representative to upgrade your subscription.

Select any bar in the chart to view the underlying data for the bar. Be sure to not modify the underlying data in any way.

You can also set up an alert action (for example, send an email) to be performed when a platform alert is triggered. Go to Settings > Searches, Reports, and Alerts and select New Alert to define a new alert action. See also Check indexing performance.

Monitor current SVC usage of your workload-based subscription

If your Splunk Cloud Platform subscription plan measures your deployment's ingestion and search workload consumption by Splunk Virtual Compute (SVC) units, Splunk Cloud Platform administrators use the Workload dashboard on the CMC to monitor usage. For more information about the SVC entitlement for your workload-based subscription, see Performance considerations in the Splunk Cloud Platform Service Description. Be sure to view the correct service description version for your Splunk Cloud Platform deployment version.

Interpret Workload dashboard metrics

SVC utilization is not a direct measure of your deployment health. To better understand your deployment, go to the Health dashboard and see Use the Health dashboard.

You can turn on preconfigured alerts about your workload and SVC utilization with the Alerts dashboard. See Use the Alerts dashboard to learn more.

Optimizing search and indexing processes can improve SVC utilization and might improve system performance. To learn more, see Optimize indexing and search processes.

What is Splunk Virtual Compute (SVC)?

SVC is a unit of capabilities that includes CPU, memory, and I/O. Overall SVC usage primarily considers CPU across search and indexing workloads. Splunk deploys infrastructure based on your entitled SVCs.

Provisioned SVCs are allocated to the search head and indexer tiers after initial sizing conversations about intended workloads and requirements, with intention to minimize the footprint for both tiers. Viewing the usage as a percentage of provisioned SVCs provides insight on a tier level and helps you understand what utilization looks like if one tier is over extended. Review the percentage usage on each tier to identify which tier is close to exceeding the optimal range of greater than 80%.

For more information about the SVC entitlement for your workload-based subscription, see Performance considerations in the Splunk Cloud Platform Service Description. Be sure to view the correct version for your Splunk Cloud Platform deployment version.

Note: If your organization has an ingest-based subscription, the SVC license entitlement metric and suggested thresholds are not applicable to your deployment. To determine the appropriate SVC entitlement for your deployment and to convert your ingest-based subscription to a workload-based subscription, contact your Splunk account representative.

Review the top-level panels

The top-level panels of the Workload dashboard display your deployment's peak usage indicators. Use these panels to gauge your deployment's peak SVC usage during a given time interval.

Use the Time and Granularity drop-down menus to select the time interval and level of detail with which you want to view the metrics. To view detailed graphs for each metric, click Click to scroll to graph on the panel.

Select the question mark icon for more information or see the following table to learn more about each indicator:

Panel Description
Current license entitlement

Shows the number of SVCs assigned to your organization's subscription for your license entitlement.

This panel may display N/A for the following scenarios:

  • Subscription status: Your organization has a new workload-based subscription and Splunk is still processing your SVC entitlement. Once this process is complete, your entitlement will appear.
  • Subscription type: Your organization uses ingest-based licensing. Contact your Splunk account representative to convert your subscription type from ingest-based to workload-based.
Overall • Peak SVC usage

Shows your organization's overall peak SVC usage as a single value and a percentage of your license entitlement.

Splunk deploys infrastructure based on your entitled SVCs. Overall peak SVC usage refers to the highest amount of resources used in a given time interval to perform system processes such as indexing, any running search processes, and shared services. It primarily measures the CPU usage across search and indexing workloads.

Generally, you should ensure that SVC usage is less than 80% to maintain performance. Usage greater than or equal to 80% is considered elevated, and greater than or equal to 90% might cause degraded performance.
Search • Peak SVC usage

Shows your organization's search workload peak SVC usage as a single value.

Search peak SVC usage refers to the highest amount of resources used in a given time interval to perform search processes. It primarily measures the CPU usage across search workloads. The search workload can occur on both the search and indexing tiers.
Indexing • Peak SVC usage

Shows your organization's indexing workload peak SVC usage as a single value

Indexing peak SVC usage refers to the highest amount of resources used in a given time interval to perform indexing processes. It primarily measures the CPU usage across indexing workloads. The indexing workload occurs on the indexing tiers.
Indexer memory utilization

Shows the 90th percentile measurement of the memory used by all processes running across the time frame selected for all the indexer hosts.

The 90th percentile measurement captures 90% of the values below the estimate. 10% of the values above the estimate are excluded as outliers.
Indexer cache churn

Shows the percentage of cache churn for your stack.

Indexer cache churn is the rate at which data is evicted from local disk cache to make room for new data. Cache churn occurs when the cache is unable to retain frequently accessed data due to capacity constraints or inefficient cache management, resulting in data being replaced more frequently than desired. Repeatedly evicted data needs to be reloaded from slower storage, which can lead to performance degradation, increased search latency, and inefficient caching. High cache churn is often an indication of inefficient searches or a need for more capacity, particularly in environments with high data volumes or complex search patterns.

For tips on how to improve your cache churn percentage, see Optimize indexing and search processes
Indexer CPU utilization

Shows the 90th percentile measurement of the CPU used by all processes running across all indexers.

The 90th percentile measurement captures 90% of the values below the estimate. 10% of the values above the estimate are excluded as outliers.
Search head memory utilization Shows the 90th percentile measurement of RAM that active processes and programs are currently using, across all search heads.
Search head CPU utilization Shows the 90th percentile measurement of CPU utilization across all search heads. CPU utilization refers to the amount of compute that a task requires.

Review the Resource Metrics tab

The Resource Metrics tab provides graphs for indexer memory utilization, cache churn, and CPU utilization, as well as search head memory and CPU utilization. Select the respective panel tabs to view detailed charts for each resource.

Set the time interval and level of detail for each graph with the Time and Granularity drop-down menus at the top level of the dashboard. You can view threshold values for each chart by enabling or disabling Show Thresholds. Click on the Options icon to open a search based on the metrics, or to open the search inspector.

Indexer memory utilization panel

Indexer memory utilization measures the percentage of an indexer's RAM that active processes and applications are currently using. This number represents the latest 90th percentile measurement of memory utilization across all indexer hosts for the timeframe selected.

Indexer cache churn panel

Indexer cache churn is the rate at which data is evicted from cache memory to make room for new data. Cache churn occurs when the cache is unable to retain frequently accessed data due to capacity constraints or inefficient cache management. This metric measures the cache downloaded as a percentage of total storage.

Thresholds are not visible on this graph. This graph shows the rate of churn over the selected period of time, while the threshold is based on the sum of the previous 24 hours.

Indexer CPU utilization panel

Indexer CPU utilization refers to the amount of computation that a task requires. This number represents the latest 90th percentile measurement of CPU utilization across all indexer hosts for the timeframe selected.

The Indexer CPU usage attribution graph provides additional visualizations of CPU resource consumption by search and ingest activities. You can select search heads, search types, apps, or users to further refine the graph data.

Search head memory utilization panel

Search head memory utilization measures the percentage of the search head's RAM that active processes and programs are currently using. This number represents the latest 90th percentile measurement of memory utilization across all search heads for the timeframe selected.

Search head CPU utilization panel

Search head CPU utilization measures the computation that a task requires. This number represents the latest 90th percentile measurement of CPU utilization across all search heads for the timeframe selected.

The Search Head CPU usage attribution graph provides additional visualizations of CPU resource consumption but search and ingest activities. You can select search heads, search types, apps, or users to further refine the graph data.

Review the Workload Metrics tab

The Workload Metrics tab displays further information about your overall, search, and indexing workloads. Select the respective panel tabs to view detailed charts on specific processes. Select each workload to view its metrics.

Overall workload panel

The Overall workload panel shows your organization's average hourly SVC usage in the context of your license entitlement.

Select from the following views:

  • Overall: The highest amount of resources used in a given time interval to perform system processes such as indexing, any running search processes, and shared services.
  • By process: Overall peak SVC usage split by search processes, indexing processes, and shared services.
  • By tier: Peak SVC usage based on processes performed by the search head and indexing tiers.

The Top 10 apps chart shows apps that contribute to the highest search time or estimated SVC usage.

The Top 10 users chart shows users that contribute to searches with the highest search time or estimated SVC usage. These users may be human or virtual administrators.

You can choose to view the Top 10 charts by Estimated SVC usage or by search seconds.

Note: The internal splunk-system-user virtual administrator runs jobs and processes like summary refreshes, report accelerations, and data model accelerations on behalf of a Splunk Cloud Platform customer. Running these processes consumes SVCs. If the SVC usage of splunk-system-user seems unusual, contact the deployment's administrator to investigate the increased consumption.

Search workload panel

The Search workload panel displays search processes that occur on the search and indexing tiers. The sum of these processes equals the peak SVC usage from search processes during this time interval.

This information enables you to identify high consumers of SVC per hour grouped by consumer type and search head so you can take steps to optimize their consumption. For example, by analyzing the users and searches data, you can contact high consumers of SVC and discuss ways to optimize their consumption, such as improving their search queries.

Select from the View by options to view estimated SVC usage or search time in seconds.

Select from the following Split by options:

Search head Description
Apps Lists a maximum of the top 10 apps and their respective search workload SVC consumption or search time.
Searches Shows which searches use the most search workload SVC or search time as a percentage of the total consumption.
Search head Shows the search heads and their search time or estimated SVC consumption.
Search type Shows search types and their search time or estimated SVC consumption.
Users Lists a maximum of the top 10 users and their search workload SVC consumption or search time. These users can be human or virtual administrators.

To filter your view, enable the Show Filters toggle. This enables you to filter the results by search head, search type, apps, or users. The filters include the following options:

Filter Option Description
Search Head All Shows all search heads in your Splunk Cloud Platform deployment. This category includes all the data ingested and processed in the deployment.
Search Head Specific search head name Shows data for a specific search head that is ingested, processed, and summarized in the CMC 2.9.0 and higher.
Search type REST_API Searches that use the Splunk REST API. See Basic concepts about the Splunk platform REST API in the Splunk Enterprise REST API user manual.
Search type ad-hoc Searches that are unscheduled and manually run. See ad hoc search.
Search type dashboard Searches run by your dashboards
Search type scheduled Searches that are saved and scheduled so they automatically run. See scheduled search.
Search type scheduled realtime Searches where the search_mode field value is realtime indexes RT Indexes for realtime indexes and the search_type field value is scheduled.
Search type summary director Maintenance tasks that run in the background involving caching and summarization to ensure searches are processed.
Search type report acceleration Searches that are related to accelerated data models or reports. See data model acceleration, report acceleration, and How data model acceleration differs from report acceleration and summary indexing in the Splunk Enterprise Knowledge Manger Manual.
Search type Other Uncategorized usage.

The Dispatched and skipped search count per hour chart shows the number of searches per hour that are dispatched or skipped.

Indexing workload panel

The Indexing workload panel encompasses ingestion and indexing processes on the indexing tier. The sum of these processes equals the peak SVC usage from indexing processes during this time interval.

The Ingestion by hour chart shows hourly rate of ingestion. When data ingestion rates are high, the indexer consumes more resources to process and ingest data. High ingestion rates can increase SVC usage.

Select from the Split by options to view indexing processes by specific indexes, source types, or ingestion scenarios.

To filter your view, enable the Show Filters toggle. This enables you to filter the results by index, source type, or ingestion scenario. Click on the drop-down and enter search terms to specify the parameters.

Interpret Workload dashboard metrics

SVC utilization is not a direct measure of your deployment health. To better understand your deployment, go to the Health dashboard and see Use the Health dashboard.

You can turn on preconfigured alerts about your workload and SVC utilization with the Alerts dashboard. See Use the Alerts dashboard to learn more.

Optimizing search and indexing processes can improve SVC utilization and might improve system performance. To learn more, see Optimize indexing and search processes.

Monitor the Storage Summary dashboard

This dashboard shows searchable and archive storage license usage data so Splunk Cloud Platform administrators can ensure their organization stays within its licensed subscription limits.

About the Storage Summary dashboard

The Storage Summary dashboard highlights important information that also displays on the Entitlements, Searchable Storage (DDAS), and Archive Storage (DDAA) dashboards. This dashboard provides insights into your data retention based on the uncompressed data you have indexed.

Note: To view this dashboard, you must have the indexes_edit capability.

Review the Storage Summary dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Storage Summary.

Panel Description
Searchable Storage (DDAS) Entitlement Shows the amount of your entitled searchable storage based on your DDAS license entitlement.
Searchable Storage (DDAS) Usage Shows the amount of searchable storage used by both customer-created and metered internal indexes.
Searchable Storage (DDAS) Usage Percent Shows your percentage of usage compared to your DDAS license entitlement.

The value displays in the following colors to indicate status:

  • Green: Usage is well under the entitlement limit.
  • Yellow: Usage is at or above 80% of the entitlement limit.
  • Red: Usage at or above 90% and close to exceeding the entitlement limit.
Archive Storage (DDAA) Entitlement Shows the amount of your archive storage entitlement based on your DDAA license.
Archive Storage (DDAA) Usage Shows the amount of archive storage used by both customer-created and metered internal indexes.
Archive Storage (DDAA) Usage Percent Shows your percentage of usage compared to your DDAA license entitlement.

The value displays in the following colors to indicate status:

  • Green: Usage is well under the entitlement limit.
  • Yellow: Usage is at or above 80% of the entitlement limit.
  • Red: Usage at or above 90% and close to exceeding the entitlement limit.

If your organization doesn't have a DDAA subscription, this panel displays N/A.
Restored Entitlement, Restored Searchable Storage (DDAS) Usage, and Restored Searchable Storage (DDAS) Usage Percent For more information, see the panel descriptions in the Review the Searchable Storage (DDAS) dashboard section.

If your organization doesn't have a DDAA subscription, these panels don't appear.
Index Details Provides a tabular overview of index retention and storage usage, per index.
  • Searchable Storage (DDAS) Retention Days
  • Searchable Storage (DDAS) Index Size GB
  • Archive Storage (DDAA) Retention Days
  • Archive Storage (DDAA) Usage GB
  • Archived GB Last 90 Days
  • Expired GB Last 90 Days

For Archived GB Last 90 Days and Expired GB Last 90 Days, the 90-day count is up to midnight of the previous day from when you accessed the dashboard. This means if you access the dashboard on January 1 at 9:00 AM, the 90th day of data is December 31 at 11:59 PM. Searchable Storage (DDAS) Retention Days and Archive Storage (DDAA) Retention Days also display values as of midnight of the previous day.

Interpret storage summary results

  • If the Searchable Storage (DDAS) Usage Percent panel value displays in red or yellow, this indicates that you need to reduce your DDAS usage. See the Searchable Storage (DDAS) dashboard for more detailed information.
  • If the Archive Storage (DDAA) Usage Percent panel value displays in red or yellow, this indicates that you need to reduce your DDAA usage. See the Archive Storage (DDAA) for more detailed information.

Monitor current usage of Searchable Storage (DDAS)

This dashboard shows comprehensive Dynamic Data Active Searchable (DDAS) license usage data so Splunk Cloud Platform administrators can ensure their organization stays within its licensed subscription limits.

About the Searchable Storage (DDAS) dashboard

Dynamic Data Active Searchable (DDAS) is used for searching ingested data. DDAS is also commonly known as searchable storage. Review the information to ensure that you are staying within your subscribed limits for data ingestion and retention. The displayed data updates every time you access or refresh the dashboard in the CMC app. For more information, see Restore archived data to Splunk Cloud Platform.

Your organization determines their DDAS entitlement amount when subscribing to the Splunk Cloud Platform. For questions about your organization's DDAS entitlement, contact your Splunk account representative. See also the "Data retention" and "Dynamic Data Active Searchable (DDAS)" sections in the Storage section of the Splunk Cloud Platform Service Description.

Note: The Searchable Storage (DDAS) dashboard provides insights into your data retention based on the uncompressed data you have indexed.

Review the Searchable Storage (DDAS) dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Searchable Storage (DDAS).

Panel Description
Searchable storage (DDAS) entitlement Shows the amount of your searchable storage entitlement.

If you are an ingest-based customer, this value includes any additional storage you have purchased. If you are a workload-based customer, this value is the storage you have purchased. For questions about these entitlement values, contact your Splunk account representative.
Restored storage entitlement Shows your entitlement limit for DDAA restores. For most Splunk Cloud Platform customers, this value is generally 10% of the amount that displays in the Searchable Storage (DDAS) Entitlement panel. If your organization has has expanded their license to increase restoring capacity, the restored entitlement limit reflects this increase up to 20%. For more information, see the following:

If your organization doesn't have a DDAA subscription, this panel doesn't appear.
Searchable Storage (DDAS) Usage Shows the amount of searchable storage used by customer-created and metered internal indexes in GB.

The value displays in the following colors to indicate status:

  • Green: Usage is well under the entitlement limit.
  • Yellow: Usage is at or above 80% of the entitlement limit.
  • Red: Usage at or above 90% and close to exceeding the entitlement limit.
This value includes only actively searched storage and is calculated when you load this dashboard. Though this value will generally correspond to the total of the individual index values displayed in the Searchable Storage Index Details table, there may be differences due to the time the queries are performed, data aging out of indexes, and similar reasons.

Use this information to compare your current storage consumption against your subscription entitlement and data retention limits.
Restored Searchable Storage (DDAS) Usage Shows the amount and percent of restored storage used by both customer-created and metered internal indexes. This panel calculates searchable storage as the amount of restored data minus the expired and cleared data.

If your organization doesn't have a DDAA subscription, this panel doesn't appear.
Searchable Storage license usage over time Shows the usage in GB compared to your DDAS license entitlement. The graph includes indicators for your high usage threshold and your license limit.
Searchable Storage Usage by Top 10 Indexes Shows the top 10 indexes that are high consumers of searchable storage.

Select the Include Internal Indexes checkbox to include Splunk internal indexes in the chart and analyze if internal indexes are consuming high amounts of storage. See also the Splunk Internal Index Details table.
Searchable Storage Index Details Provides a tabular overview of searchable storage details per index that includes the following data:
  • Oldest Event
  • Newest Event
  • Event Count
  • Storage Retention Days
  • Index Size GB

Shows a table of the indexes in your deployment and the current searchable amount in GB for each actively searchable index. The searchable indexes of your deployment only include those in a hot or warm bucket. The GB value that displays for each index is calculated when you load this dashboard. Use this information to determine which indexes are high consumers of storage, and also understand general usage patterns and trends. For more information about index retention settings, see Manage data retention settings in the Splunk Cloud Platform Admin Manual.
Splunk Internal Index Details Provides a tabular overview of internal index details that includes the following data:
  • Oldest Event
  • Newest Event
  • Event Count
  • Storage Retention Days
  • Default Retention Days
  • Unmetered Index Size GB
  • Metered Index Size GB
  • Total Index Size GB

Splunk internal indexes can be identified by the underscore prefix (_) in the index name and appear on other storage dashboards, such as the Storage Summary dashboard. You can opt to include internal indexes in the Searchable Storage Usage by Top 10 Indexes chart.

An index with a storage value that exceeds the default value delivered by Splunk consumes additional license data. The Default Retention Days column shows Splunk default values. The Storage Retention Days column shows the actual storage retention value set for an index.

Interpret your searchable storage results

  • A good method to determine if your data usage is running higher than expected is to check the dates of the earliest and latest events and compare this time period to the retention setting for the individual index. For example, if the earliest event is 2020/01/25, the latest event is 2020/01/31, and the retention setting for the index is 90 days, then the data ingestion for the index was met long before the time retention setting was met. So, the data ingestion was greater than anticipated.
  • If an internal index displays a Storage Retention Days value that exceeds the Default Retention Days value, contact your Splunk account representative.

Monitor current usage of Archive Storage (DDAA)

This dashboard shows comprehensive Dynamic Data Active Archive (DDAA) license usage data so Splunk Cloud Platform administrators can ensure their organization stays within its licensed subscription limits.

About the Archive Storage (DDAA) dashboard

Dynamic Data Active Archive (DDAA) is used as a long term storage and data in DDAA can be restored to DDAS to be searched. For Splunk Cloud Platform administrators, this dashboard shows information about your archived data for indexes that are enabled with DDAA. Review the information to ensure that you are staying within your subscribed limits for data ingestion and retention. The displayed data updates every time you access or refresh the dashboard in the CMC app. For more information, see Store expired Splunk Cloud Platform data to a Splunk-managed archive.

Your organization must have enabled DDAA as part of its Splunk Cloud Platform subscription to see data in this dashboard. For more information, see the Dynamic Data Active Archive (DDAA) section in the Storage section of the Splunk Cloud Platform Service Description. If you exceed your storage requirements by ingesting more data than your initial estimate, Splunk Cloud Platform service elastically expands the amount of storage to retain your data per your retention settings. Periodically, Splunk will review and charge your account for any overages.

For more information about your archived data for indexes that are enabled with Dynamic Data Active Archive (DDAA), see Use the Archive Management panel.

Note: The Archive Storage (DDAA) dashboard provides insights into your data retention based on the uncompressed data you have indexed.

Review the Archive Storage (DDAA) dashboard

To investigate your panels, go to Cloud Monitoring Console > License Usage > Archive Storage (DDAA).

Panel Description
Current license entitlement Shows the amount of your archive storage entitlement.

The value displays in the following colors to indicate status:

  • Green: Usage is well under the entitlement limit.
  • Yellow: Usage is at or above 80% of the entitlement limit.
  • Red: Usage at or above 90% and close to exceeding the entitlement limit.
Restored storage entitlement Shows your entitlement limit for DDAS restores. For most Splunk Cloud Platform customers, this value is generally 10% of the amount that displays in the Searchable Storage (DDAS) Entitlement panel. If your organization has has expanded their license to increase restoring capacity, the restored entitlement limit reflects this increase up to 20%. For more information, see the following:
Archive Storage (DDAA) Usage Shows the total amount of archive storage currently used by all applicable indexes.
Restored searchable storage usage Shows the amount of restored storage used by both customer-created and metered internal indexes. This panel calculates searchable storage as the amount of restored data minus the expired and cleared data.
Archive Storage license usage over time Shows the usage in GB or percent compared to your DDAA license entitlement. The graph includes indicators for your high usage threshold and your license limit.
Archive Storage Usage by Top 10 Indexes Shows your Top 10 indexes that are high consumers of archive storage.
Data Archive and Restoration Summary Shows a summary of restoration activity for all of your deployment's indexes that are enabled with the DDAA feature from the last 90 days. The 90-day count is up to midnight of the previous day from when you accessed the dashboard. This means if you access the dashboard on January 1 at 9:00 AM, the 90th day of data is December 31 at 11:59 PM.

These totals in GB show the amount of uncompressed (raw) data in the following categories:

  • Total Size Restored GB: Copied archive data that has been temporarily restored to an index. Restored data expires from searchable storage after 30 days.
  • Total Size Cleared GB: Restored data that has been manually removed from an index. This data has a Jobstatus of Cleared.
  • Total Size Expired GB: Data that has been automatically removed from searchable storage as it has passed the 30-day retention period. This data has a Jobstatus of Expired
  • Total Size Active Restored GB: Restored data that is currently active in the index and searchable.

The displayed totals depend on the data you have selected to restore or clear and also the conditions and limitations of the restoration process, as follows:

  • The archival and restoration process is complete.
  • The data doesn't overlap with other data.
  • The data size doesn't cause performance issues.

For more information, see the following in the the Splunk Cloud Platform Admin Manual:
Index Storage Usage Details Provides a tabular overview of archive storage details per index that lists the following information:
  • Archived index name
  • Timestamps formatted in UTC for the earliest and latest archived events
  • 90-day data growth and expiration data in GB
  • Current usage amount in GB

Interpret your archive storage results

  • Compare the archive usage against the entitlement and the growth against the expiration. If the usage and the growth consistently exceed the entitlement and the expiration, this indicates the following:
    • You must re-evaluate your index ingestion and retention settings. See the topics listed in the See also section on how to manage indexes and DDAA settings.
    • You may need to upgrade your subscription to better handle your true data ingest and retention rates. Contact your Splunk account representative for help.
  • Review the restoration totals and determine if the amount of data restored, cleared, and expired in your deployment meets or exceeds your organization's actual requirements. For example, a high total for restored data or low total for cleared or expired data may indicate the need to re-evaluate your index management policies and procedures. Ensure that you are restoring and retaining only the data that your organization truly needs.
  • Be sure to convert event timestamps from UTC to your local time when analyzing the data in the Index Storage Usage Details table.

See also

For more information about See
Splunk Cloud Platform data retention policies and available storage subscriptions Storage
Managing your indexes, including searchable and archive storage The Manage your Indexes and Data in Splunk Cloud Platform section in the Splunk Cloud Platform Admin Manual

Use the Archive Management panel

For Splunk Cloud Platform administrators, the Archive Management panel in the Cloud Monitoring Console (CMC) app shows information about your archived data for indexes that are enabled with Dynamic Data Active Archive (DDAA). Review the information to ensure that you are staying within your subscribed limits for data ingestion and retention. The displayed data updates every time you access or refresh the panel in the CMC app.

Note: Your organization must have enabled DDAA as part of its Splunk Cloud Platform subscription to see data in this panel.

If you exceed your storage requirements by ingesting more data than your initial estimate, Splunk Cloud Platform service elastically expands the amount of storage to retain your data per your retention settings. Periodically, Splunk will review and charge your account for any overages. For more information and to understand storage requirements based on your subscription type, see the Storage section of the Splunk Cloud Platform Service Description.

Archive Summary

In CMC, select the Archive Management link in the first panel of the Storage Summary or Archive Storage (DDAA) dashboard, then select the Archive Summary tab.

The summary information in this tab shows data on the usage, entitlement, and 90-day growth and expiration in GB for all of your deployment's indexes enabled with DDAA.

The archived data details table lists the following information:

  • Archived index name
  • Current size (GB)
  • Timestamps for the earliest and latest archived events
  • 90-day data growth and expiration data in GB

Note: The amounts for the summarized and detailed growth and expiration data are for uncompressed (raw) data.

Interpret these results

Compare the usage against the entitlement and the growth against the expiration. If the usage and the growth consistently exceed the entitlement and the expiration, this indicates the following:

  • You must re-evaluate your index ingestion and retention settings. See the topics listed in the See also section on how to manage indexes and DDAA settings.
  • You may need to upgrade your subscription to better handle your true data ingest and retention rates. Contact your Splunk account representative for help.

Restoration Summary

In CMC, select the Archive Management link in the first panel of the Storage Summary or Archive Storage (DDAA) dashboard, then select the Restoration Summary tab.

The information in this tab shows the restoration activity for all of your deployment's indexes that are enabled with the DDAA feature. These totals in GB show the amount of uncompressed (raw) data in the following categories:

  • Restored: Copied archive data that has been temporarily restored to an index. Restored data expires from searchable storage after 30 days.
  • Cleared: Restored data that has been manually removed from an index. This data has a Jobstatus of Cleared.
  • Expired: Data that has been automatically removed from searchable storage as it has passed the 30-day retention period. This data has a Jobstatus of Expired.

The displayed totals depend on the data you have selected to restore or clear and also the conditions and limitations of the restoration process, as follows:

  • The archival and restoration process is complete.
  • The data doesn't overlap with other data.
  • The data size doesn't cause performance issues.

For more information, see the following in the the Splunk Cloud Platform Admin Manual:

Interpret these results

Review these totals and determine if the amount of data restored, cleared, and expired in your deployment meets or exceeds your organization's actual requirements. For example, a high total for restored data or low total for cleared or expired data may indicate the need to re-evaluate your index management policies and procedures. Ensure that you are restoring and retaining only the data that your organization truly needs.

See also

For more information about See
Managing your aged ingested data with DDAA Store expired Splunk Cloud Platform data to a Splunk-managed archive
Managing indexes Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual

Monitor your Federated Search for Amazon S3 resources

Federated Search for Amazon S3 lets you search data from your Amazon S3 buckets from your Splunk Cloud Platform deployment without needing to ingest or index it first. The Federated Search for Amazon S3 dashboard in the CMC shows comprehensive data scan entitlement usage so your organization can stay within its limits.

About the Federated Search for Amazon S3 dashboard

This dashboard shows what your total data scan entitlement is and how much of that entitlement is used to date by your Federated Search for Amazon S3 searches in your current license term.

The dashboard tracks the volume of data on disk that is being scanned, not the amount of events that are being searched. Scans of data stored in compressed formats such as Parquet or GZIP will likely take up less of your entitlement than scans of data stored in uncompressed formats.

Review the information to ensure that you're staying within your Federated Search for Amazon S3 entitlement.

Your organization must have Federated Search for Amazon S3 set up as part of its Splunk Cloud Platform deployment to see data in this dashboard.

Review the Federated Search for Amazon S3 dashboard

Go to Cloud Monitoring Console > License Usage > Federated Search for Amazon S3. The dashboard displays N/A if your organization does not have a Federated Search for Amazon S3 entitlement.

Panel Description
Current license entitlement Total number of DSUs assigned to your organization's subscription per your license entitlement.
Data Scan Unit (DSU) usage Total amount of data scanning capabilities available for use during your current license term.
Data scanned volume Total amount of data scanned by your searches during your current license term.
Percentage of data scan entitlement used The percentage of data scanning capabilities utilized by your searches during your current license term.
Top 10 consumers Charts showing the top 10 apps and top 10 users that trigger searches with the highest DSU.
Top 10 saved searches Saved searches that consume the highest DSU.

Interpret federated search for Amazon S3 data scan entitlement usage

The Percentage of data scan entitlement used panel is color-coded so you can quickly understand your usage. If your data scan entitlement usage is less than 80%, the panel data is green. If your usage is greater than 80%, the panel data is yellow. If your usage is greater than 90%, the panel data is red.

You can configure an alert action (for example, send an email) to be performed when your data scan entitlement usage exceeds 80%. Navigate to the CMC Alerts dashboard to enable this alert. Select Configured Alerts then CMC Alert - S3 scanned volume exceeds 80% of the entitlement value.

To learn more about CMC configured alerts, see Use the Alerts panel.

If your data scan entitlement usage is consistently high, consider upgrading entitlements by contacting your Splunk Sales representative.

Monitor your Federated Analytics licenses

This dashboard shows comprehensive Federated Analytics usage data so your organization can stay within its licensed limits. Federated Analytics uses the core platform entitlement for local data ingestion and Data Scan Units (DSUs) for federated searches.

This dashboard contains entitlement and usage metrics attributed to Data Scan Units (DSUs) for Federated Searches on external data sets. To learn more about Federated Analytics for Data Lakes, see About Federated Analytics.

Review the Federated Analytics dashboard

Go to Cloud Monitoring Console > License Usage > Federated Analytics. The dashboard displays N/A if your organization does not have a Federated Analytics entitlement.

Panel Description
Data Scan Unit (DSU) usage Total amount of data scanning capabilities available for use during your current license term.
Search - peak SVC usage for data lake The highest amount of SVC usage for the data lake for searches.
Indexing - peak SVC usage for data lake The highest amount of SVC usage for the data lake for indexing.
Federated Analytics DSU Usage over time Shows the Data Scan Unit license usage for federated searches of remote datasets by Federated Analytics.
Federated Analytics SVC usage Shows the amount of SVC usage for Federated Analytics search and indexing processes.