
Splunk on Splunk app
Splunk on Splunk (SoS) is an app that uses Splunk Enterprise diagnostic tools to analyze and troubleshoot your configuration. SoS contains views and tooling that allow you to do the following:
- View, search, and compare Splunk Enterprise configuration files.
- Detect and expose errors and anomalies in your installation, including inspection of crash logs.
- Measure indexing performance and expose event processing bottlenecks.
- View details of scheduler and user-driven search activity.
- Analyze Splunk Enterprise data volume metrics.
For information about installing and configuring the Splunk on Splunk app, see the Splunk on Splunk documentation.
How Splunk on Splunk differs from the DMC
The SoS app reached its end of life with version 6.3.0 of Splunk Enterprise. Its functionality is replaced and extended by the Distributed Management Console (DMC), which is included with Splunk Enterprise versions 6.2.0 and later.
We recommend that you migrate from SoS to the DMC for all your Splunk Enterprise monitoring and introspection needs. Documentation on the SoS app continues to be published as a convenience for those who have chosen to use it, even though it is no longer supported.
SoS | DMC | |
---|---|---|
Supported | No | Yes |
Acquired Via | Splunkbase | Ships with Splunk Enterprise |
Install Location | Search Head | Non-production search head |
Supports Single Instance | Yes | Yes |
Data Sources | Splunk Logs, Scripted Inputs (counts against license) | Splunk Logs, Introspection (does not count against license), REST |
User Defined Grouping | No | Yes |
Topology View | Yes | Yes |
Topology - Server Roles | Search Heads, Indexers, Forwarders | Search Heads, Indexers, Custom Groups |
Topology - Node Detail | Yes | Yes |
Topology - Overlay | Status, CPU, Memory | Status, CPU, Memory, Search Count, Indexing Rate |
Topology - Node Relationship | No | Yes |
Configuration File Viewer | Yes | No |
Security Health Check | Yes | No |
Warnings & Errors/Crashlog View | Yes | No |
Resource Usage Views | Yes | Yes |
Resource Usage - CPU/Memory by Splunk Instance | Yes | Yes |
Resource Usage - CPU/Memory Deployment Views | No | Yes |
Resource Usage - File Descriptor Usage | Yes | No |
KV Store | No | Yes |
Forwarder Monitoring | No | Yes (6.3.0+) |
HTTP Event Collector | No | Yes (6.4.0+) |
PREVIOUS Use btool to troubleshoot configurations |
NEXT What Splunk software logs about itself |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11
Feedback submitted, thanks!