All Apps and Add-ons

SoS: can't see information in the resource usage view

krussell101
Path Finder

Installed SOS yesterday. Installed Sideview Utils after I installed SoS.

In SoS everthing appears to be working except for the two dropdowns under "Resource Usage" and "Crash Log Viewer" under "Warnings and Errors". The latter I would expect some results because I had a crash two weeks ago.

Is there something I've missed in the install of SoS? I did it all from the web interface.

Advice appreciated.

Thanks!

1 Solution

hexx
Splunk Employee
Splunk Employee

Regarding the lack of information in the "Splunk CPU/Memory Usage" view, it seems likely that you haven't enabled the ps_sos.sh scripted input. Read more about how to configure SoS to monitor the resource usage of your Splunk instance in this Splunk Answer.

Regarding the crash log, it's harder to say. Can you check if there is a crash log file in $SPLUNK_HOME/var/log/splunk? If yes, the next step would be to check if it's been indexed to the _internal index by searching for it in the following fashion:

index=_internal source=*crash*.log

Does that return any events?

View solution in original post

hexx
Splunk Employee
Splunk Employee

Regarding the lack of information in the "Splunk CPU/Memory Usage" view, it seems likely that you haven't enabled the ps_sos.sh scripted input. Read more about how to configure SoS to monitor the resource usage of your Splunk instance in this Splunk Answer.

Regarding the crash log, it's harder to say. Can you check if there is a crash log file in $SPLUNK_HOME/var/log/splunk? If yes, the next step would be to check if it's been indexed to the _internal index by searching for it in the following fashion:

index=_internal source=*crash*.log

Does that return any events?

hexx
Splunk Employee
Splunk Employee

Since you mentioned that you experienced a crash log two weeks ago, I would have expected a crash log there. But if there isn't one, that certainly explains why SOS' crash log viewer isn't showing anything.

krussell101
Path Finder

Beauty! That did it. I enabled ps_sos.sh and it's all good. Thank YOU.

I do not have a crash.log in that directory. Should I?

rroberts
Splunk Employee
Splunk Employee

krussell101
Path Finder

I appreciate the link. I had not seen that. I am running 4.3.2. Which is not listed in that link as having a bug. Time allowing however, I may try the fixes they suggest.

Thanks!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...