Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the process "splunkd instrument-resource-usage -p 8089 --with-kvstore" doing?

leo_wang
Path Finder
‎11-24-2016 02:10 AM

Hi ,

Our splunk servers has high CPU usage problem after upgrading to Splunk v6.5

It could related to my previous question :
https://answers.splunk.com/answers/475114/is-there-any-way-to-downgrade-from-65-to-63.html

And I noticed the abnormal high cpu-usage process is
"/opt/splunk/bin/splunkd instrument-resource-usage -p 8089 --with-kvstore"

It is usually use more than 90% CPU all of the time...
What is this process doing for ?
How could I deal with this situation ?

alt text

Preview file
1 KB
0 Karma
Reply

arowsell_splunk
Splunk Employee
Splunk Employee
‎02-22-2017 02:31 AM

Hi,

There is a bug introduced in 6.5:

SPL-133720 - splunkd instrument-resource-usage process uses one full CPU core after upgrade to 6.5.1 on Centos 5

To workaround the issue is 6.5.0, 6.5.1 and 6.5.2 you can disable introspection as per the following:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/ConfigurePIF

To disable: in $SPLUNK_HOME/etc/apps/introspection_generator_addon/local/app.conf, set:

[install]
state = disabled

This should be fixed in 6.5.3.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎11-24-2016 02:22 AM

this process instrument-resource-usage configures the logging on your splunk instance

If you've disabled this logging on your instance, you can still invoke the CLI command. To invoke, at the command line:

$ splunkd instrument-resource-usage [--debug] [--once] [--extra]

where the flags mean:
--debug: Set logging level to DEBUG (this can also be done via log-cmdline.cfg)
--once: Emit one set of introspection data, and then quit
--extra: This has the same effect as setting acquireExtra_i_data to true in the server.conf [introspection:generator:resource_usage] stanza. See "What gets logged" for which fields are not logged by default and require this flag.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Troubleshooting/ConfigurePIF

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...