Getting Data In
Highlighted

Is there an easy way to get resource usage per Splunk process for a universal forwarder?

Champion

Hi,

Is there an easy way to get resource usage for a universal forwarder? I don't see anything in the distributed management console.

Highlighted

Re: Is there an easy way to get resource usage per Splunk process for a universal forwarder?

Esteemed Legend

What do you mean? What would you like to see?

0 Karma
Highlighted

Re: Is there an easy way to get resource usage per Splunk process for a universal forwarder?

Champion

cpu and memory, mainly, per splunk process, if possible.

0 Karma
Highlighted

Re: Is there an easy way to get resource usage per Splunk process for a universal forwarder?

Esteemed Legend
0 Karma
Highlighted

Re: Is there an easy way to get resource usage per Splunk process for a universal forwarder?

SplunkTrust
SplunkTrust

Another approach (there might be more I'm sure).

If UNIX:

  • Deploy app that runs top or similar command every X seconds => index => search and use multikv to parse

If Windows:

  • Deploy app that runs powershell code (Get-Process, Get-Service, etc) every X seconds => index => search
0 Karma
Highlighted

Re: Is there an easy way to get resource usage per Splunk process for a universal forwarder?

Champion

Thanks. I take it that means it's not built into introspection?

0 Karma
Highlighted

Re: Is there an easy way to get resource usage per Splunk process for a universal forwarder?

Ultra Champion

I thought most folks do this by using things like the Nix and Win TAs to get process resource consumption in the same way they would for any process running on the host. (A la ps.sh and its Windows equivalent)

0 Karma
Highlighted

Re: Is there an easy way to get resource usage per Splunk process for a universal forwarder?

Splunk Employee
Splunk Employee

You can enable platform instrumentation which will start populating the _introspection index (disabled by default on UF) by following these steps: http://docs.splunk.com/Documentation/Splunk/6.1.4/Troubleshooting/ConfigurePIF

sourcetype=splunkresourceusage should give you some insights into what you're looking for.

Highlighted

Re: Is there an easy way to get resource usage per Splunk process for a universal forwarder?

Ultra Champion

Most cheerful!

alt text

0 Karma
Highlighted

Re: Is there an easy way to get resource usage per Splunk process for a universal forwarder?

Explorer

I would recommend using the "Splunk Add-on for Unix" app. It has many scripted inputs that can be turned on via the inputs.conf to collect such performance and usage data. (https://splunkbase.splunk.com/app/833/#/overview)

I would also like to note if you are going to use this on many UFs it is recommended that you use a deployment server to mange the app.

0 Karma