Introducing Splunk App for Chargeback

The Splunk App for Chargeback provides the ability to analyze and manage how internal business units, departments, and individuals are consuming Splunk resources. The three main features of the App are:

  • Chargeback - How much each business unit pays for their Splunk Environment
  • Showback - How many resources are being used by each business unit
  • Forecasting - Predict future storage and compute needs

The Splunk App for Chargeback allows you to manage, monitor, and forecast resource utilization in your shared Splunk environment. You can use Splunk App for Chargeback to focus on any business unit, department, or an individual user.

A screenshot from the App’s executive dashboard showing SVC/DDAS/DDAA usage.
(SVC: Splunk Virtual Compute; DDAS: Splunk Cloud Dynamic Data: Active Searchable; DDAA: Splunk Cloud Dynamic Data: Active Archive)

The Splunk App for Chargeback analyzes the same utilization information provided in your Cloud Monitoring Console (CMC) and Monitoring Console (MC) regardless if you are a Splunk Cloud Platform or Splunk Enterprise customer. The end result is a straightforward view into your Splunk utilization across your business hierarchy.


The Splunk App for Chargeback is a free app on Splunkbase for customers on Splunk Cloud Platform or Splunk Enterprise, regardless of your license type.

The Splunk App for Chargeback provides the framework necessary to analyze Splunk Cloud workload or ingest license models and Splunk Enterprise vCPU or ingest license models.

Click on the links below to learn more about Splunk Cloud Workload Pricing and the different types of licensing the App supports:

  1. What is Workload Pricing?
  2. Choose Volume or Compute-Based Pricing Plans for Ultimate Flexibility

Splunk App for Chargeback: Key Highlights

Business Process Description
Accounting and Utilization Framework for customers to build their own Chargeback and/or Showback models.
Accounting Means to determine how many resources SVCs and/or vCPUs are allocated towards a company's business units, departments, and users associated with them.
Utilization Means to automatically determine and drill-down on how SVCs and/or vCPUs are being used by the various Business Units. 
Accounting and Planning Ability to forecast SVC or vCPU consumption and storage usage for the entire organization or by business unit using Splunk Machine Learning.
Customization to Fit any Business Hierarchy Customers can build their Showback framework based on the app’s unique 8 Enrichment Principles (Click here for more info

Technical Features

Are you interested in building a powerful executive dashboard to showcase how your business units are consuming Splunk resources? If yes, you are in the right place. Here is an example of an out-of-the-box dashboard to get you started quickly.

Let us showcase how The Splunk T-Shirt Company used the App to give the Splunk team the visibility they needed in their Splunk Cloud stack. The Splunk T-Shirt Company is on the Splunk Cloud Workload (SVC) model.  Workload allowed them to have more flexibility on how their business units are consuming Splunk Cloud resources. Like any other organization, The Splunk T-Shirt Company needed to have some way to measure that usage and put a process in place for Showback and Chargeback use cases.  

All screenshots in this blog were taken from a demo environment, and we will be focusing on one business unit in particular called Global Information Security, or GIS for short.

A screenshot from the App’s Showback dashboard showing SVC usage at the highest level of the business with drilldown capability at the departmental and user levels.

Let’s drill down on GIS, an important business unit in the Splunk T-Shirt company organization, and see a departmental breakdown of SVC usage:

This screenshot shows a departmental and user SVC usage breakdown for the GIS business unit.

We can also use the App’s executive or reports dashboards to review SVC usage by business unit over time and split that usage by department within the business unit we are analyzing.

This screenshot shows GIS’s SVC usage in the last 30 days with an overlay of their entitlement.

Storage is also an important part of The Splunk T-Shirt Company’s environment. Below, we can see how much data the GIS team has been ingesting on a daily basis by index:

This screenshot shows GIS’s daily ingestion in GB in the last 90 days taken from the storage dashboard.

Here we can see the amount of storage GIS used by departments. We also see an overlay of their entitlement the Splunk team set up in the App. We can clearly see that GIS exceeded their quota the first week of October and may need to adjust their index retention to stay within their allocation.

The screenshot shows GIS’s Dynamic Data Active Searchable (DDAS) in GB usage in the last 90 days taken from the storage dashboard.

Like any other business units, GIS must archive historical data in case they need to re-index it for auditing purposes. Below we see how much they are archiving on a daily basis, which has a separate cost associated with it. We can also see that GIS exceeded their archiving quota on a couple of occasions, but remained below quota the majority of the time.

The screenshot shows GIS’s Dynamic Data Active Archive (DDAA) in GB usage in the last 90 days. Learn more about Splunk Cloud DDAA here.

How about we do something cool and be more proactive and predict future Splunk resource usage based on historical data?

What you are looking at below is the State Space Forecast algorithm for time series data using the Splunk Machine Learning Toolkit, available to all customers free of charge. This forecast is based on Kalman filters. 

The screenshot shows a four month SVC forecast for GIS using the last 3 months of known usage. This panel is powered by Splunk Machine Learning Toolkit (MLTK).

Don’t wait, be the first to get started by simply browsing for more apps by searching for Chargeback, then click on “Install”. No restarts or further steps are required. 

Please note that the App is compatible with Splunk Cloud Self-Service app installation (SSAI), so no need to open a support case to install the app — you can do it on your own!

For more information, check out Splunk Documentation and the Splunkbase posting that has flowcharts and multiple videos to get you started today.  

AK Khamis
Posted by

AK Khamis

AK is a Principal Consultant at Splunk with over 25 years of experience in ITOps and SecOps. AK spent the majority of his time at Splunk delivering services at hundreds of customer sites in both ITOps and SecOps. His new role focuses more on building new Apps or improving existing Apps used by thousands of Splunk Cloud and Splunk Enterprise customers.

Show All Tags
Show Less Tags