All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SoS: can't see information in the resource usage view

krussell101
Path Finder
‎07-07-2012 08:48 AM

Installed SOS yesterday. Installed Sideview Utils after I installed SoS.

In SoS everthing appears to be working except for the two dropdowns under "Resource Usage" and "Crash Log Viewer" under "Warnings and Errors". The latter I would expect some results because I had a crash two weeks ago.

Is there something I've missed in the install of SoS? I did it all from the web interface.

Advice appreciated.

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎07-14-2012 12:05 AM

Regarding the lack of information in the "Splunk CPU/Memory Usage" view, it seems likely that you haven't enabled the ps_sos.sh scripted input. Read more about how to configure SoS to monitor the resource usage of your Splunk instance in this Splunk Answer.

Regarding the crash log, it's harder to say. Can you check if there is a crash log file in $SPLUNK_HOME/var/log/splunk? If yes, the next step would be to check if it's been indexed to the _internal index by searching for it in the following fashion:

index=_internal source=*crash*.log

Does that return any events?

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎07-14-2012 12:05 AM

Regarding the lack of information in the "Splunk CPU/Memory Usage" view, it seems likely that you haven't enabled the ps_sos.sh scripted input. Read more about how to configure SoS to monitor the resource usage of your Splunk instance in this Splunk Answer.

Regarding the crash log, it's harder to say. Can you check if there is a crash log file in $SPLUNK_HOME/var/log/splunk? If yes, the next step would be to check if it's been indexed to the _internal index by searching for it in the following fashion:

index=_internal source=*crash*.log

Does that return any events?

Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎07-16-2012 09:16 AM

Since you mentioned that you experienced a crash log two weeks ago, I would have expected a crash log there. But if there isn't one, that certainly explains why SOS' crash log viewer isn't showing anything.

Reply
Solved! Jump to solution

krussell101
Path Finder
‎07-16-2012 09:00 AM

Beauty! That did it. I enabled ps_sos.sh and it's all good. Thank YOU.

I do not have a crash.log in that directory. Should I?

Reply
Solved! Jump to solution

rroberts
Splunk Employee
Splunk Employee
‎07-09-2012 07:18 AM

I found this thread useful for troubleshooting:

http://splunk-base.splunk.com//answers/38452/the-lookup-table-splunk_instances_info-is-invalid-sos

Reply
Solved! Jump to solution

krussell101
Path Finder
‎07-09-2012 01:50 PM

I appreciate the link. I had not seen that. I am running 4.3.2. Which is not listed in that link as having a bug. Time allowing however, I may try the fixes they suggest.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top