Splunk® Enterprise

Troubleshooting Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Splunk on Splunk app

Splunk on Splunk (SoS) is an app that uses Splunk Enterprise diagnostic tools to analyze and troubleshoot your configuration. SoS contains views and tooling that allow you to do the following:

  • View, search, and compare Splunk Enterprise configuration files.
  • Detect and expose errors and anomalies in your installation, including inspection of crash logs.
  • Measure indexing performance and expose event processing bottlenecks.
  • View details of scheduler and user-driven search activity.
  • Analyze Splunk Enterprise data volume metrics.

For information about installing and configuring the Splunk on Splunk app, see the Splunk on Splunk documentation.

How Splunk on Splunk differs from the DMC

The SoS app reached its end of life with version 6.3.0 of Splunk Enterprise. Its functionality is replaced and extended by the Distributed Management Console (DMC), which is included with Splunk Enterprise versions 6.2.0 and later.

We recommend that you migrate from SoS to the DMC for all your Splunk Enterprise monitoring and introspection needs. Documentation on the SoS app continues to be published as a convenience for those who have chosen to use it, even though it is no longer supported.

SoS DMC
Supported No Yes
Acquired Via Splunkbase Ships with Splunk Enterprise
Install Location Search Head Non-production search head
Supports Single Instance Yes Yes
Data Sources Splunk Logs, Scripted Inputs (counts against license) Splunk Logs, Introspection (does not count against license), REST
User Defined Grouping No Yes
Topology View Yes Yes
Topology - Server Roles Search Heads, Indexers, Forwarders Search Heads, Indexers, Custom Groups
Topology - Node Detail Yes Yes
Topology - Overlay Status, CPU, Memory Status, CPU, Memory, Search Count, Indexing Rate
Topology - Node Relationship No Yes
Configuration File Viewer Yes No
Security Health Check Yes No
Warnings & Errors/Crashlog View Yes No
Resource Usage Views Yes Yes
Resource Usage - CPU/Memory by Splunk Instance Yes Yes
Resource Usage - CPU/Memory Deployment Views No Yes
Resource Usage - File Descriptor Usage Yes No
KV Store No Yes
Forwarder Monitoring No Yes (6.3.0+)
HTTP Event Collector No Yes (6.4.0+)
Last modified on 06 September, 2016
PREVIOUS
Use btool to troubleshoot configurations 		  NEXT
What Splunk software logs about itself

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters