Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource metrics is key to managing costs and performance. The Cloud Monitoring Console (CMC) Workload Dashboard is a vital tool, offering insights into how your SVC entitlements are being used. 

Since CMC 3.30, we’ve introduced an enhancement in the modernized Workload dashboard that unlocks deeper insights and clarity, particularly for the category previously known as “Search Launcher.”

Search Launcher Attribution: What Was the Challenge?

Historically, the CMC performed SVC attribution by summarizing data using 10-second samplings. While this method was successful in attributing SVC usage and simplified the process, specific details were not captured for any search that completed in under 10 seconds. Instead of being attributed to a user, application, or search name, these searches were attributed generically as "Search Launcher," the Splunk process responsible for initiating searches.

This meant that if you had a high volume of sub 10-second searches, "Search Launcher" could appear as a significant user of your SVCs, making it challenging to pinpoint the specific searches, users, or applications responsible for that usage.

Why a Change Was Needed

The lack of detailed visibility into the searches under "Search Launcher" usage created significant challenges:

• Obscured Insights: It was challenging to accurately track SVC usage and understand where resources were truly being utilized.
• Performance Investigation Hurdles: Without knowing which specific searches contributed to "Search Launcher" usage, it was difficult to identify and optimize inefficient searches or user behaviors.
• Customer Frustration: The generic grouping led to confusion and made it difficult to make informed decisions about your workloads.

Introducing the Fix: Granular SVC Attribution

To address these critical issues, we've introduced splunk-svc-search-attribution in _cmc_summary index. The key to this solution is a foundational change to the attribution model: we now attribute the SVC usage to each search process, instead of relying on sampling intervals. This allows us to attribute SVCs to their precise search type, user, and application.

Any SVC usage previously attributed to "Search Launcher" will now be accurately distributed to the actual search types, such as ad-hoc, data model acceleration, report acceleration, scheduled, and summary index searches. The "Search Launcher" process is now eliminated as a search type for SVC attribution. 

Old vs. New: A Side-by-Side Look

Here's a high-level comparison of how SVC attribution works now, compared to the old method:

Benefits for Your Organization

This enhancement delivers several significant advantages:

• Accuracy & Completeness: You gain a full picture of your SVC attribution, as all searches, regardless of duration, are now accurately represented in attribution calculations.
• Actionable Workload Insights: Easily identify which users, applications, or search types are using SVCs, even for previously "hidden" quick searches, enabling more effective resource management and troubleshooting.
• Optimized Resource Allocation: With precise data on true top users of SVCs, you can make more informed decisions to optimize search performance and potentially achieve cost efficiencies.

No Change in SVC Usage

It's important to note that this fix does not change the SVC usage or your existing entitlements. The overall amount of resources being consumed remains the same. The fundamental benefit is the vastly improved accuracy of the attribution model, which ensures that this usage is now correctly assigned to the initiating search, user, and application rather than being obscured by the search launcher process. This shift provides a true, granular picture of resource utilization.

How Can I Get Started?

This enhancement is available now and will apply automatically for environments running CMC 3.30.0 and Splunk Cloud 9.2.2408 or a newer release. You will see the changes in the Workload Dashboard, particularly in the "SVC usage per hour by search type" and "SVC usage per hour by top 10 searches" panels.

We are confident that these improvements will empower you with the insights needed to make smarter, more informed business decisions and effectively manage your Splunk Cloud environment.

To learn more about the Workload Dashboard and how to leverage it, please see our Splunk docs page.