All Apps and Add-ons

How do I set up the S.o.S app to monitor Splunk's system resource consumption?

hexx
Splunk Employee
Splunk Employee

I would like to set up the Splunk on Splunk app to monitor the resource usage (CPU and memory) of Splunk on my search-head and on my search peers.

How would I go about doing that?

1 Solution

hexx
Splunk Employee
Splunk Employee

As of Splunk on Splunk 2.0, SoS ships with the ps_sos.sh scripted input which once enabled, allows you to track the CPU and memory usage of the main Splunk components :

  • Splunkweb, the cherrypy-based web front-end.
  • splunkd, the back-end daemon which manages the indexing of data.
  • The searches fired by splunkd to retrieve events and build reports.

Note: Currently, this scripted input only exists on Linux and Unix. A similar functionality for Windows will be added in a future SoS release.

Also: You do not need to install the SoS technology add-on on an instance where SoS is already installed.

The ps_sos.sh data input ships both with the SoS app and with the SoS technology add-on for Unix and Linux.

1) On a search-head or stand-alone indexer:

  • Install the SoS app.
  • Enable the ps_sos.sh scripted input by one of the following methods:

a) Go to Manager > Data Inputs > Scripts. Enable the ps_sos.sh data input.

or

b) Run the following command from a terminal window:

$SPLUNK_HOME/bin/splunk _internal call '/servicesNS/nobody/sos/data/inputs/script/.%252Fbin%252Fps_sos.sh' -post:disabled 0

2) On search peers:

a) If Splunkweb is running, go to Manager > Data Inputs > Scripts. Enable the ps_sos.sh data input.

or

b) Run the following command from a terminal window:

$SPLUNK_HOME/bin/splunk _internal call '/servicesNS/nobody/TA-sos/data/inputs/script/.%252Fbin%252Fps_sos.sh' -post:disabled 0

Going forward, you will be able to track the CPU and memory usage of Splunk in the "Splunk CPU/Memory Usage" SoS view. Per-search memory usage for the biggest memory-consuming searches can be consulterd in the "Distributed Searches Memory Usage" view.

For further information on deployment best practices for SoS, please refer to this Splunk Answer.

View solution in original post

hexx
Splunk Employee
Splunk Employee

As of Splunk on Splunk 2.0, SoS ships with the ps_sos.sh scripted input which once enabled, allows you to track the CPU and memory usage of the main Splunk components :

  • Splunkweb, the cherrypy-based web front-end.
  • splunkd, the back-end daemon which manages the indexing of data.
  • The searches fired by splunkd to retrieve events and build reports.

Note: Currently, this scripted input only exists on Linux and Unix. A similar functionality for Windows will be added in a future SoS release.

Also: You do not need to install the SoS technology add-on on an instance where SoS is already installed.

The ps_sos.sh data input ships both with the SoS app and with the SoS technology add-on for Unix and Linux.

1) On a search-head or stand-alone indexer:

  • Install the SoS app.
  • Enable the ps_sos.sh scripted input by one of the following methods:

a) Go to Manager > Data Inputs > Scripts. Enable the ps_sos.sh data input.

or

b) Run the following command from a terminal window:

$SPLUNK_HOME/bin/splunk _internal call '/servicesNS/nobody/sos/data/inputs/script/.%252Fbin%252Fps_sos.sh' -post:disabled 0

2) On search peers:

a) If Splunkweb is running, go to Manager > Data Inputs > Scripts. Enable the ps_sos.sh data input.

or

b) Run the following command from a terminal window:

$SPLUNK_HOME/bin/splunk _internal call '/servicesNS/nobody/TA-sos/data/inputs/script/.%252Fbin%252Fps_sos.sh' -post:disabled 0

Going forward, you will be able to track the CPU and memory usage of Splunk in the "Splunk CPU/Memory Usage" SoS view. Per-search memory usage for the biggest memory-consuming searches can be consulterd in the "Distributed Searches Memory Usage" view.

For further information on deployment best practices for SoS, please refer to this Splunk Answer.

hexx
Splunk Employee
Splunk Employee

Yes, except that you should install the S.o.S technology add-on for Windows on your search peers and the script to be enabled is ps_sos.ps1.

0 Karma

Rob
Splunk Employee
Splunk Employee

Are the instructions for monitoring the resource usage for Windows the same?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...