Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there an easy way to get resource usage per Splunk process for a universal forwarder?

a212830
Champion
‎06-29-2016 05:21 AM

Hi,

Is there an easy way to get resource usage for a universal forwarder? I don't see anything in the distributed management console.

Reply

ecaepp
Explorer
‎06-29-2016 01:06 PM

I would recommend using the "Splunk Add-on for Unix" app. It has many scripted inputs that can be turned on via the inputs.conf to collect such performance and usage data. (https://splunkbase.splunk.com/app/833/#/overview)

I would also like to note if you are going to use this on many UFs it is recommended that you use a deployment server to mange the app.

0 Karma
Reply

mwalker_splunk
Splunk Employee
Splunk Employee
‎06-29-2016 10:59 AM

You can enable platform instrumentation which will start populating the _introspection index (disabled by default on UF) by following these steps: http://docs.splunk.com/Documentation/Splunk/6.1.4/Troubleshooting/ConfigurePIF

sourcetype=splunk_resource_usage should give you some insights into what you're looking for.

Reply

ddrillic
Ultra Champion
‎06-29-2016 12:18 PM

Most cheerful!

alt text

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎06-29-2016 08:42 AM

I thought most folks do this by using things like the Nix and Win TAs to get process resource consumption in the same way they would for any process running on the host. (A la ps.sh and its Windows equivalent)

0 Karma
Reply

a212830
Champion
‎06-29-2016 07:07 AM

Thanks. I take it that means it's not built into introspection?

0 Karma
Reply

javiergn
Super Champion
‎06-29-2016 07:00 AM

Another approach (there might be more I'm sure).

If UNIX:

  • Deploy app that runs top or similar command every X seconds => index => search and use multikv to parse

If Windows:

  • Deploy app that runs powershell code (Get-Process, Get-Service, etc) every X seconds => index => search
0 Karma
Reply

woodcock
Esteemed Legend
‎06-29-2016 06:58 AM

You need to deploy perfmon:

http://blogs.splunk.com/2013/10/28/new-features-for-perfmon-in-splunk-6/

0 Karma
Reply

woodcock
Esteemed Legend
‎06-29-2016 06:00 AM

What do you mean? What would you like to see?

0 Karma
Reply

a212830
Champion
‎06-29-2016 06:50 AM

cpu and memory, mainly, per splunk process, if possible.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...