The /sys/internal/counters endpoints are used to return data about the number of Tokens and Entities in Vault. They return information for the entire cluster.
Entities
This endpoint returns the total number of Entities.
This endpoint returns client activity information for a given billing period, which is represented by the start_time and end_time parameters.
There are a few things to keep in mind while using this API.
For Vault versions before 1.11, the activity information only accounts for the activity of the latest contiguous months in the billing period. For example, if the billing period is from Jan 2022 to June 2022, and the activity subsystem in Vault was not capturing data for the months Jan to March, the response will only include information for May and June. Note that if no start_time and end_time parameters are specified, the billing period defaults to 12 months, so the endpoint will return activity information from the end of the previous month to the start of 12 months prior to that date.
As of 1.11, this behavior has been modified to return all available data within the specified billing period.
As of 1.12, the end_time can be the current month.
The response contains the total activity for the billing period and the attributions of the total activity against specific components in Vault. This helps in understanding the total activity better by knowing which components in Vault lead to that top-level activity count. First-level of attribution breakdowns are by namespaces and months, under the by_namespaces and months JSON block, respectively.
{"by_namespace":[],"months":[],}
by_namespaces breakdowns provide attributions of each namespace to the total activity count. Mount level attributions further break down these namespaces attributions, wherein information can be found on the attributions of each mount path within a given namespace to the overall activity of the namespace.
months breakdowns provide attributions of each month to the total activity count. These month-level attributions are further broken down into namespace and mount level attributions for each month.
Each entry in the months breakdown contains a new_clients block. When a token is first used within a billing period, it is considered a new client for that billing period. This means that all the active clients in the first month of the billing period will be considered new clients for that billing period. While these tokens could be generated and counted in the previous billing period, they are still considered new clients in the context of the given billing period. For each subsequent month in the same billing period, the tokens used in those months that were unused in previous months of the same billing period are considered new clients for that month. Hence, the computation of new clients differs for each combination of start_time and end_time.
The new_clients block within the months breakdown will also be further broken down by namespaces and mounts for visibility into which components in Vault lead to the new clients for each month.
The distinct_entities field name has been deprecated since Vault 1.10. Refer to entity_clients field instead. The distinct_entities field is currently returned by the API for backward compatibility and it may be removed in the future.
The non_entity_tokens field name has been deprecated since Vault 1.10. Refer to non_entity_clients field instead. The non_entity_tokens field is currently returned by the API for backward compatibility, and it may be removed in the future.
If the end_date supplied to the API is for the current month, the activity information returned by this API will only be till the previous month. The activity system is designed to process the accumulated activity only at the end of the month. Since the system does not fully process the current month's information, it will not be added to the API response.
The response includes the actual time period covered, which may not exactly match the query parameters due to the month granularity of data or missing months in the requested time range.
Note that if the end_date specified is the current month, the last element in the months response stanza, signifying the current month, will not have namespace attribution for the new_clients stanza. Furthermore, the new_clients counts returned for the current month will be an approximation. That is to say, the response will appear as follows.
{"months":[ {"timestamp":"current_month_timestamp","counts":{"distinct_entities":"exact int value","entity_clients":"exact int value","non_entity_tokens":"exact int value","non_entity_clients":"exact int value","clients":"exact int value" },"namespaces": [ {"namespace_id":"root","namespace_path":"path","counts":{"distinct_entities":"exact int value","entity_clients":"exact int value","non_entity_tokens":"exact int value","non_entity_clients":"exact int value","clients":"exact int value" },"mounts":[ {"path":"auth/up2/","counts":{"distinct_entities":"exact int value","entity_clients":"exact int value","non_entity_tokens":"exact int value","non_entity_clients":"exact int value","clients":"exact int value" }, }, ] }, ],"new_clients":{"counts":{"distinct_entities":"approx int value","entity_clients":"approx int value","non_entity_tokens":"approx int value","non_entity_clients":"approx int value","clients":"approx int value" },"namespaces":[] } } ],}
Please visit the client count concepts page for more information on how clients map to these client IDs and how they are counted, or for more information about how the new clients for the current month are estimated in a billing period.
The response will include all child namespaces of the namespace in which the request was made. If some namespace has subsequently been deleted, its path will be listed as "deleted namespace :ID:." Deleted namespaces are reported only for queries in the root namespace because the information about the namespace path is unknown.
Method
Path
GET
/sys/internal/counters/activity
Parameters
start_time(string, optional) - An RFC3339 timestamp or Unix epoch time. Specifies the start of the period for which client counts will be reported. If no start time is specified, the default_report_months prior to the end_time will be used.
end_time(string, optional) - An RFC3339 timestamp or Unix epoch time. Specifies the end of the period for which client counts will be reported. If no end time is specified, the end of the previous calendar month will be used.
limit_namespaces(int, optional) - Controls the total number of by_namespace data returned. This can be used to return the client counts for the specified number of namespaces having highest activity. If no limit_namespaces parameter is specified, client counts for all namespaces in specified usage period is returned.
current_billing_period(bool, optional) - Uses the builtin billing start timestamp as start_time and the current time as the end_time, returning a response with the current billing period information without having to explicitly provide a start and end time.
This endpoint returns the client activity in the current month. The response will have activity attributions per namespace, per mount within each namespaces, and new clients information.
The time period is from the start of the current month, up until the time that this request was made.
Note: the client count may be inaccurate in the moments following a Vault reboot, or leadership change. The estimate will stabilize when background loading of client data has completed.
The /sys/internal/counters/config endpoint is used to configure logging of active clients.
Method
Path
POST
/sys/internal/counters/config
Parameters
default_report_months(integer: 12) - The number of months to report if no start_time is specified in a query.
enabled(string: enable, disable, default) - Enable or disable counting of client activity. When set to default, the client counts are enabled on Enterprise builds and disabled on community builds. Disabling the feature during the middle of a month will discard any data recorded for that month, but does not delete previous months.
retention_months(integer: 24) - The number of months of history to retain.
Any missing parameters are left at their existing value.
Reading the configuration shows the current settings, as well as a flag as to whether any data can be queried.
Method
Path
GET
/sys/internal/counters/config
enabled(string) - returns default-enabled or default-disabled if the configuration is default.
queries_available(bool) - indicates whether any usage report is available. This will initially be false until the end of the first calendar month after the feature is enabled.
Sample request
$ curl \
--request GET
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/internal/counters/config
This endpoint returns an export of the clients that had activity within the provided start and end times. The returned set of client information will be deduplicated over the time window and will show the earliest activity logged for each client. The output will be ordered chronologically by month of activity.
~> NOTE: This endpoint is currently in tech preview status.
There are a few things to keep in mind while using this API.
The response includes the actual time period covered, which may not exactly match the query parameters due to the month granularity of data or missing months in the requested time range.
If the end_date supplied to the API is for the current month, the activity information returned by this API will include activity for this month, however it may be up to 20 minutes delayed.
Method
Path
GET
/sys/internal/counters/activity/export
Parameters
start_time(string, optional) - An RFC3339 timestamp or Unix epoch time. Specifies the start of the period for which client counts will be reported. If no start time is specified, the default_report_months prior to the end_time will be used.
end_time(string, optional) - An RFC3339 timestamp or Unix epoch time. Specifies the end of the period for which client counts will be reported. If no end time is specified, the end of the previous calendar month will be used.
format(string, optional) - The desired format of the output file. Allowed values are csv and json. If no format is provided a default of json will be used.
