Splunk Utilization Dashboards for Multi-tenant Splunk environment

I recently worked with a managed security service provider (MSSP) that needed to understand how much Splunk Cloud services were consumed by each client. Accuracy and simplicity were key requirements for this solution.

I created an interactive dashboard to quantify the event and host count for each client, as well as showing the average for all clients.

I created a second dashboard to analyze the SVC usage, which represents the actual billing basis for Splunk Cloud.

This data is already captured in Splunk, but the use case requires us to analyze several months at a time, and these queries can take a few minutes to return results. The use case also involves several metrics, too many to list on a "static" report. So I built a dashboard that is powered by saved searches. This way the dashboard is nice and fast, and the saved searches can be scheduled to run only once a month, at night.