Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to track memory/cpu usage per search execution (on Search Head/Indexer)?

melonman
Motivator
‎05-30-2016 06:03 PM

Hi

I am looking for a way to track memory/cpu usage per search execution on search head and indexer.
I thought I could use _introspection index to track it, but I can not find process resource information in there.

I am currenly testing with splunk6.4.0 on MacOS, and I am trying to monitor searches on Search head Splunk 6.3.2 and Indexer Splunk 6.0.2.

Could anyone comment on this?

Thank you,

Reply

gjanders
SplunkTrust
SplunkTrust
‎06-07-2019 01:06 AM

There are a few dashboards in Alerts for Splunk Admins (splunkbase) or github that might help with tracking down the issues here. There are also alerts / reports to detect dashboard or saved searches with index=* or similar.

In particular for the dashboards:
troubleshooting_indexer_cpu
troubleshooting_resource_usage_per_user
detect_excessive_search_use

Saved searches:
SearchHeadLevel - Scheduled searches not specifying an index
SearchHeadLevel - User - Dashboards searching all indexes
SearchHeadLevel - Scheduled Searches without a configured earliest and latest time

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply

spunk311z
Path Finder
‎07-19-2020 01:04 PM

Lots of great info and search queries in this thread (thanks),  splunk really is amazing!

One thing i can contribute is this search (below) that i often use to show all of my scheduled reports (it pairs nicely with some of the resource usage searches in this thread to help ID and modify your scheduled reports or their cron entry).

Also its nice to review this from time to time as its easy to loose track of cron scheduled reports you may no longer need to run (or run as frequently);

| rest /servicesNS/-/-/saved/searches  | search is_scheduled=1 | table author cron_schedule is_scheduled schedule_window title updated embed.enabled Search

 thanks

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-05-2019 06:36 AM

Hi @melonman,

If you want to search CPU and memory utilization per search execution with relevant information like which used executed and more.

index=_introspection host=* source=*/resource_usage.log* component=PerProcess data.process_type="search" 
 | stats latest(data.pct_cpu) AS resource_usage_cpu latest(data.mem_used) AS resource_usage_mem by data.pid, _time, data.search_props.type,data.search_props.mode, data.search_props.role,data.search_props.user, data.search_props.app, data.search_props.sid
Reply

MuS
SplunkTrust
SplunkTrust
‎05-30-2016 06:17 PM

Hi melonman,

Did you check out the Distributed Management Console http://docs.splunk.com/Documentation/Splunk/6.3.2/DMC/DMCoverview this should provide data for the search head.
Regarding the indexer try this search 

host=YourHostNameHere sourcetype=splunk_resource_usage index=_introspection component=PerProcess "data.process_type"=search

Hope this helps ...

cheers, MuS

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...