Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Searching the _introspection index, why are PerProcess events missing?

dvmrp
New Member
‎08-31-2016 09:55 AM

Hi,

While checking the introspection index, the search index=_introspection | dedup component | table component returns below results, but 'PerProcess' is missing. Any idea?

Hostwide 
KVStoreServerStats 
KVStoreCollectionStats 
KVStoreReplicaSetStats 
IOStats 
Partitions 
Fishbucket 
Indexes 
Volumes 
Dispatch 
Summaries
0 Karma
Reply

jbrodsky_splunk
Splunk Employee
Splunk Employee
‎09-20-2016 09:05 PM

Hi - sorry for the delay here. I think my understanding is that you're talking about a Windows Universal Forwarder, and you don't see the PerProcess component in the _introspection index. I checked a Windows forwarder in my lab (6.4.3, Windows 7 64 bit) and sure enough, even though the introspection app was enabled, I did NOT see PerProcess.

I did get this working, and here's what I did:

  1. Copied server.conf within the introspection app from default to local.
  2. Edited server.conf and set acquireExtra_i_data = true in two stanzas: [introspection:generator:disk_objects] and [introspection:generator:resource_usage]
  3. Because I'm super impatient I set collectionPeriodInSecs = 60 in both stanzas.
  4. Restarted forwarder.

A few minutes later, I had this, where I did not have that component ever before:

alt text

Try something like that and let us know? By the way, this is documented here:

https://docs.splunk.com/Documentation/Splunk/6.4.3/Troubleshooting/ConfigurePIF#Populate_.22Extra.22...

Preview file
143 KB
Reply

micahkemp
Champion
‎08-31-2016 10:29 AM

Do you get any results by searching:

index=_introspection "PerProcess"

And what timeframe are you searching (though I doubt that's the issue)?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...