Getting Data In

Is there an easy way to get resource usage per Splunk process for a universal forwarder?

a212830
Champion

Hi,

Is there an easy way to get resource usage for a universal forwarder? I don't see anything in the distributed management console.

ecaepp
Explorer

I would recommend using the "Splunk Add-on for Unix" app. It has many scripted inputs that can be turned on via the inputs.conf to collect such performance and usage data. (https://splunkbase.splunk.com/app/833/#/overview)

I would also like to note if you are going to use this on many UFs it is recommended that you use a deployment server to mange the app.

0 Karma

mwalker_splunk
Splunk Employee
Splunk Employee

You can enable platform instrumentation which will start populating the _introspection index (disabled by default on UF) by following these steps: http://docs.splunk.com/Documentation/Splunk/6.1.4/Troubleshooting/ConfigurePIF

sourcetype=splunk_resource_usage should give you some insights into what you're looking for.

ddrillic
Ultra Champion

Most cheerful!

alt text

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I thought most folks do this by using things like the Nix and Win TAs to get process resource consumption in the same way they would for any process running on the host. (A la ps.sh and its Windows equivalent)

0 Karma

a212830
Champion

Thanks. I take it that means it's not built into introspection?

0 Karma

javiergn
Super Champion

Another approach (there might be more I'm sure).

If UNIX:

  • Deploy app that runs top or similar command every X seconds => index => search and use multikv to parse

If Windows:

  • Deploy app that runs powershell code (Get-Process, Get-Service, etc) every X seconds => index => search
0 Karma

woodcock
Esteemed Legend
0 Karma

woodcock
Esteemed Legend

What do you mean? What would you like to see?

0 Karma

a212830
Champion

cpu and memory, mainly, per splunk process, if possible.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...