Getting Data In

Is there an easy way to get resource usage per Splunk process for a universal forwarder?

a212830
Champion

Hi,

Is there an easy way to get resource usage for a universal forwarder? I don't see anything in the distributed management console.

ecaepp
Explorer

I would recommend using the "Splunk Add-on for Unix" app. It has many scripted inputs that can be turned on via the inputs.conf to collect such performance and usage data. (https://splunkbase.splunk.com/app/833/#/overview)

I would also like to note if you are going to use this on many UFs it is recommended that you use a deployment server to mange the app.

0 Karma

mwalker_splunk
Splunk Employee
Splunk Employee

You can enable platform instrumentation which will start populating the _introspection index (disabled by default on UF) by following these steps: http://docs.splunk.com/Documentation/Splunk/6.1.4/Troubleshooting/ConfigurePIF

sourcetype=splunk_resource_usage should give you some insights into what you're looking for.

ddrillic
Ultra Champion

Most cheerful!

alt text

0 Karma

sloshburch
Ultra Champion

I thought most folks do this by using things like the Nix and Win TAs to get process resource consumption in the same way they would for any process running on the host. (A la ps.sh and its Windows equivalent)

0 Karma

a212830
Champion

Thanks. I take it that means it's not built into introspection?

0 Karma

javiergn
SplunkTrust
SplunkTrust

Another approach (there might be more I'm sure).

If UNIX:

  • Deploy app that runs top or similar command every X seconds => index => search and use multikv to parse

If Windows:

  • Deploy app that runs powershell code (Get-Process, Get-Service, etc) every X seconds => index => search
0 Karma

woodcock
Esteemed Legend
0 Karma

woodcock
Esteemed Legend

What do you mean? What would you like to see?

0 Karma

a212830
Champion

cpu and memory, mainly, per splunk process, if possible.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!