Splunk® Enterprise

Troubleshooting Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Splunk on Splunk app

Splunk on Splunk (SoS) is an app that uses Splunk Enterprise diagnostic tools to analyze and troubleshoot your configuration. SoS contains views and tooling that allow you to do the following:

  • View, search, and compare Splunk Enterprise configuration files.
  • Detect and expose errors and anomalies in your installation, including inspection of crash logs.
  • Measure indexing performance and expose event processing bottlenecks.
  • View details of scheduler and user-driven search activity.
  • Analyze Splunk Enterprise data volume metrics.

For information about installing and configuring the Splunk on Splunk app, see the Splunk on Splunk documentation.

How Splunk on Splunk differs from the DMC

The SoS app reached its end of life with version 6.3.0 of Splunk Enterprise. Its functionality is replaced and extended by the Distributed Management Console (DMC), which is included with Splunk Enterprise versions 6.2.0 and later.

We recommend that you migrate from SoS to the DMC for all your Splunk Enterprise monitoring and introspection needs. Documentation on the SoS app continues to be published as a convenience for those who have chosen to use it, even though it is no longer supported.

Supported No Yes
Acquired Via Splunkbase Ships with Splunk Enterprise
Install Location Search Head Non-production search head
Supports Single Instance Yes Yes
Data Sources Splunk Logs, Scripted Inputs (counts against license) Splunk Logs, Introspection (does not count against license), REST
User Defined Grouping No Yes
Topology View Yes Yes
Topology - Server Roles Search Heads, Indexers, Forwarders Search Heads, Indexers, Custom Groups
Topology - Node Detail Yes Yes
Topology - Overlay Status, CPU, Memory Status, CPU, Memory, Search Count, Indexing Rate
Topology - Node Relationship No Yes
Configuration File Viewer Yes No
Security Health Check Yes No
Warnings & Errors/Crashlog View Yes No
Resource Usage Views Yes Yes
Resource Usage - CPU/Memory by Splunk Instance Yes Yes
Resource Usage - CPU/Memory Deployment Views No Yes
Resource Usage - File Descriptor Usage Yes No
KV Store No Yes
Forwarder Monitoring No Yes (6.3.0+)
HTTP Event Collector No Yes (6.4.0+)
Last modified on 06 September, 2016
Use btool to troubleshoot configurations
What Splunk software logs about itself

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Hi Keigunyuki,
You are correct, the SoS app has been end-of-lifed and replaced by the DMC. We've updated this topic to reflect that (and why). Thanks!

Jlaw splunk, Splunker
September 6, 2016

Hi, I just tried to download the "Splunk on Splunk app" which be introduced on this page. But the Overview of the app show me the information below.
Since this manual is for ver 6.4.2, I believe the description of the Troubleshooting Manual is wrong.
Am I right? Or, I should ignore the information below, but try to use this app?

IMPORTANT: As of Splunk Enterprise 6.3, the S.o.S app is End of Life. Its functionality has been replaced and superseded by the Distributed Management Console, a feature that is included with Splunk Enterprise as of version 6.2. We recommend that you migrate from S.o.S to the DMC for all your Splunk monitoring and introspection needs at your earliest convenience.


July 20, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters