Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there an easy way to get resource usage per Splunk process for a universal forwarder?

a212830
Champion
‎06-29-2016 05:21 AM

Hi,

Is there an easy way to get resource usage for a universal forwarder? I don't see anything in the distributed management console.

Reply

ecaepp
Explorer
‎06-29-2016 01:06 PM

I would recommend using the "Splunk Add-on for Unix" app. It has many scripted inputs that can be turned on via the inputs.conf to collect such performance and usage data. (https://splunkbase.splunk.com/app/833/#/overview)

I would also like to note if you are going to use this on many UFs it is recommended that you use a deployment server to mange the app.

0 Karma
Reply

mwalker_splunk
Splunk Employee
Splunk Employee
‎06-29-2016 10:59 AM

You can enable platform instrumentation which will start populating the _introspection index (disabled by default on UF) by following these steps: http://docs.splunk.com/Documentation/Splunk/6.1.4/Troubleshooting/ConfigurePIF

sourcetype=splunk_resource_usage should give you some insights into what you're looking for.

Reply

ddrillic
Ultra Champion
‎06-29-2016 12:18 PM

Most cheerful!

alt text

0 Karma
Reply

sloshburch
Ultra Champion
‎06-29-2016 08:42 AM

I thought most folks do this by using things like the Nix and Win TAs to get process resource consumption in the same way they would for any process running on the host. (A la ps.sh and its Windows equivalent)

0 Karma
Reply

a212830
Champion
‎06-29-2016 07:07 AM

Thanks. I take it that means it's not built into introspection?

0 Karma
Reply

javiergn
Super Champion
‎06-29-2016 07:00 AM

Another approach (there might be more I'm sure).

If UNIX:

  • Deploy app that runs top or similar command every X seconds => index => search and use multikv to parse

If Windows:

  • Deploy app that runs powershell code (Get-Process, Get-Service, etc) every X seconds => index => search
0 Karma
Reply

woodcock
Esteemed Legend
‎06-29-2016 06:58 AM

You need to deploy perfmon:

http://blogs.splunk.com/2013/10/28/new-features-for-perfmon-in-splunk-6/

0 Karma
Reply

woodcock
Esteemed Legend
‎06-29-2016 06:00 AM

What do you mean? What would you like to see?

0 Karma
Reply

a212830
Champion
‎06-29-2016 06:50 AM

cpu and memory, mainly, per splunk process, if possible.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...