Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex Processor CPU Profiling per Sourcetype” under "DMC -> Indexing -> Indexing Performance:Instances" is not populating any data.

khusain_splunk
Splunk Employee
Splunk Employee
‎08-14-2018 02:04 AM

Regex Processor CPU Profiling per Sourcetype” under "DMC -> Indexing -> Indexing Performance:Instances" is not populating any data.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

mbagali_splunk
Splunk Employee
Splunk Employee
‎08-16-2018 02:07 AM

“Regex Processor CPU Profiling per Sourcetype” is a new splunk feature and by default this panel do not populate any data.

To load the panel we need to set "regex_cpu_profiling = true" in limits.conf file. By default it is set to false.

regex_cpu_profiling =

* Enable CPU time metrics for RegexProcessor. Output will be in the
metrics.log file.
Entries in metrics.log will appear per_host_regex_cpu, per_source_regex_cpu,
per_sourcetype_regex_cpu, per_index_regex_cpu.
* Default: false

"regex_cpu_profiling" is utilized as a troubleshooting tool to identify blocks in the typing queue and narrowing down which source and/or source type is taking most of the CPU time or the CPU time per event.

If you are interested in the per_host_regex_cpu it would be necessary to enable the regex_cpu_profiling = true on all of the "Indexers" so you can receive these type of metrics logs from all the indexers.

We recommend you compare splunkd CPU utilization before & after turning it on.

View solution in original post

Reply
Solved! Jump to solution
Solution

mbagali_splunk
Splunk Employee
Splunk Employee
‎08-16-2018 02:07 AM

“Regex Processor CPU Profiling per Sourcetype” is a new splunk feature and by default this panel do not populate any data.

To load the panel we need to set "regex_cpu_profiling = true" in limits.conf file. By default it is set to false.

regex_cpu_profiling =

* Enable CPU time metrics for RegexProcessor. Output will be in the
metrics.log file.
Entries in metrics.log will appear per_host_regex_cpu, per_source_regex_cpu,
per_sourcetype_regex_cpu, per_index_regex_cpu.
* Default: false

"regex_cpu_profiling" is utilized as a troubleshooting tool to identify blocks in the typing queue and narrowing down which source and/or source type is taking most of the CPU time or the CPU time per event.

If you are interested in the per_host_regex_cpu it would be necessary to enable the regex_cpu_profiling = true on all of the "Indexers" so you can receive these type of metrics logs from all the indexers.

We recommend you compare splunkd CPU utilization before & after turning it on.

Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎08-14-2018 04:18 PM

This does not appear to be well documented but I believe you can enable it in the limits.conf file:

regex_cpu_profiling = <bool>
* Enable CPU time metrics for RegexProcessor. Output will be in the 
  metrics.log file.
  Entries in metrics.log will appear per_host_regex_cpu, per_source_regex_cpu,
  per_sourcetype_regex_cpu, per_index_regex_cpu.
* Default: false

The help page for the monitoring console goes here but no mention of the above setting...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

afroemmel_splun
Splunk Employee
Splunk Employee
‎11-12-2024 11:35 PM

Update: since Splunk 9.2 Regex_cpu_profiling  in limits.conf default value is true.

Spoiler
regex_cpu_profiling = <boolean>
* Enable CPU time metrics for RegexProcessor. Output will be in the
  metrics.log file.
  Entries in metrics.log will appear per_host_regex_cpu, per_source_regex_cpu,
  per_sourcetype_regex_cpu, per_index_regex_cpu.
* Default: true

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...