All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to pull performance data from splunk peers

yiguanghu
Explorer
‎08-08-2012 07:29 AM

I have SOS installed on two splunk indexer boxes (4.3.2). They are independent to each other now. One is a dev and one is a uat. I can look SOS report on each. How can I look at the SOS report on one instance from the remote/peer instance? I know SOS page mentions it can. But How to do it?
Thanks

Reply

rmorlen
Splunk Employee
Splunk Employee
‎08-08-2012 11:34 AM

We have SOS installed on a searchhead and on the indexers. I can get info about all indexers/searchheads from the SOS instance on the searchhead. I can connect to an individual indexers and get info on just that indexer.

At some point I would like the see a merged view (so monitor the queues for all indexers from the searchhead).

0 Karma
Reply

mwhite_splunk
Splunk Employee
Splunk Employee
‎08-08-2012 11:57 AM

SoS has a dashboard for distributed indexing performance. My apologies, but I'm not really sure what you are looking for.

0 Karma
Reply

mwhite_splunk
Splunk Employee
Splunk Employee
‎08-08-2012 08:41 AM

Here are two answers that can help you:

Query a Heavy Forwarder from SoS

How Can I Monitor My Forwarder Using SoS

Reply

hexx
Splunk Employee
Splunk Employee
‎08-14-2012 08:01 PM

As @mwhite_splunk mentions, you should be able to achieve your goal by following the instructions in this Splunk Answer. The jist of it is that you need to install the SoS TA on any instance that you want whose system resource usage you want to monitor (except for the search-head where SoS will be installed) and make sure that the instances that are not indexers are forwarding the events of the sos index back to the indexers.

0 Karma
Reply

yiguanghu
Explorer
‎08-08-2012 11:56 AM

Thanks for the answers. From the answers, looks like I have to use distributed search? Make one as search head and the other one forward only the performace data to the search head? If I do that, can the non-search-head indexer instance still able to do search?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...