Skip to main content
Version: Atlas v3.11

License Utilization Journey

The License Utilization Journey enables users to get more visibility into how their Splunk data is being used and how it is impacting their license. They can achieve clarity about who is using the data and how they are using it in their environment. Commonly, Splunk owners find they have lost sight of why the data is in Splunk in the first place and what the impact to the business is if it stops coming in. This also becomes an issue when Splunk environments start to ingest more data than their entitlement allows. This has financial impacts as they expand their license capacity without really understanding what data they have in their environments.

Atlas Elements Utilized

Outcomes

Identifying Underutilized Indexes

Data is logically stored in indexes on Splunk environment. Indexes generally are aligned to data sources, or data access. By analyzing utilization by ad-hoc searches, scheduled searches, and dashboard pings on a per index level, Splunk Admins can quickly identify any anomalous low utilization. Low utilized indexes can be reviewed for additional use cases and alerting or can be furthered reviewed to control license growth.

  1. Open the Data Utilization element in Atlas.
  2. Review list of Indexes by utilization and data ingest volume.
  3. Identify indexes with 0 use and identify license utilization. Open Data Management and identify or record owners of data sets. Write an admin note that this data set has 0 utilization.
  4. Identify indexes with minimal total utilization activity by defining the number of queries that define minimal utilization and input it into the KPI input. Record amount of data sets that meet this requirement.
  5. Review datasets that are under the utilization threshold. Open Data Management and identify or record owners of data sets. Write an admin note that this data set has minimal utilization.

Identifying Underutilized Index Source Type Data Sets

Providing insight into how data sources are being utilized through searches, reports, alerts, and dashboards gives valuable insight into data sources that are being underutilized. This can illuminate areas where more utilization of data would be valuable, or if it would be best to consider looking at optimizing the how this data is stored. Underutilized Splunk data are data sources being ingested but not utilized in searches, reports, alerts, or dashboards.

  1. Open the Data Utilization element in Atlas.
  2. Review list of Indexes by utilization and data ingest volume.
  3. Identify indexes with 0 use and identify license utilization. Open Data Management and identify or record owners of data sets. Write an admin note that this data set has 0 utilization.
  4. Identify indexes with minimal total utilization activity by defining the number of queries that define minimal utilization and input it into the KPI input. Record amount of data sets that meet this requirement.
  5. Review datasets that are under the utilization threshold. Open Data Management and identify or record owners of data sets. Write an admin note that this data set has minimal utilization.