Splunk® Enterprise

Troubleshooting Manual

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

What does platform instrumentation log?

This topic describes the contents of log files that are tailed to populate the _introspection index. For the log files that populate _internal, see What Splunk logs about itself.

These log files comply with the Common Information Model (CIM). See the CIM add-on documentation for more information.

"Extra field" indicates a field that is not logged by default. Read more about configuring polling intervals and enabling this feature on a universal forwarder in Configure platform instrumentation.

resource_usage.log

Per-process resource usage data

Platform instrumentation exposes OS resource usage info for just Splunk software processes, broken down by process. Splunk processes include splunkd, splunkweb, Splunk search processes, splunkd-launched (fsck, splunk-optimize), and modular or scripted inputs launched on behalf of splunkd.

These fields are available:

  • in the log file $SPLUNK_HOME/var/log/introspection/resource_usage.log
  • in an indexer's _introspection index
  • at the endpoint server/status/resource-usage/splunk-processes.

Data available for all Splunk software processes

You can view information about operating system resource utilization, broken down by Splunk process. Four fields here are "extra" fields, not logged by default. Read about populating extra fields in Configure platform instrumentation.

See the list of output fields at system/server/status/resource-usage/splunk-processes in the REST API Reference Manual.

Additional data available only for search processes

Splunk software can log all the above data for search processes (except args). In addition, it logs some additional information about search processes, in a subsection called search_props.

See the list of output fields at system/server/status/resource-usage/splunk-processes in the REST API Reference Manual. The search process fields are embedded within the larger process table, at the search_props entry.

Hostwide resource usage data

You can view host-level, dynamic CPU utilization and paging information.

These fields are available:

  • in the log file resource_usage.log
  • in an indexer's _introspection index
  • at the endpoint server/status/resource-usage/hostwide.

See the list of output fields at system/server/status/resource-usage/hostwide in the REST API Reference Manual.

I/O statistics

Disk input-output usage statistics. The Splunk Enterprise iostats endpoint displays the most recent data. Historical data is logged to resource_usage.log.

Note that the statistics available here are usage statistics, not benchmarks.

See the list of output fields at server/status/resource-usage/iostats in the REST API Reference Manual.

Search infrastructure data

Unlike most data available under server/introspection, the search infrastructure data is logged in metrics.log and audit.log, which is indexed to _internal and _audit, respectively, and available in the file system at $SPLUNK_HOME/var/log/splunk. Read about metrics.log components in "About metrics.log."

server/introspection/search/dispatch

Provides vital statistics for distributed search framework, including details on search peer performance.

disk_objects.log

This disk object data is available in the log file $SPLUNK_HOME/var/log/introspection/disk_objects.log

Additionally, the latest snapshot of these field values is available at endpoints as itemized below.

server/info

Splunk Enterprise server configuration information (static server characteristics; dynamic characteristics go under server/status).

See the list of output fields at system/server/info in the REST API Reference Manual.

data/index-volumes

Lists the Splunk Enterprise volume(s).

See the list of output fields at data/index-volumes in the REST API Reference Manual.

data/index-volumes/{Name}

Characterizes persisted objects at the volume level.

See the list of output fields at index/data/index-volumes/{Name} in the REST API Reference Manual.

data/indexes-extended

Provides information about Splunk Enterprise index buckets.

See the list of output fields at index/data/indexes-extended in the REST API Reference Manual.

data/indexes-extended/{Name}

Provides bucket-level information for the specified index.

See the list of output fields at data/indexes-extended{Name} in the REST API Reference Manual.

server/status/dispatch-artifacts

Accesses search job information.

See the list of output fields at server/status/dispatch-artifacts in the REST API Reference Manual.

server/status/fishbucket

Accesses information about the private BTree database. Gives an idea of fishbucket growth. The fishbucket is a directory, $SPLUNK_DB/fishbucket/splunk_private_db/, that keeps a record about each file input. Most fundamentally, this record keeps track of how far into the file we've read, so that if splunkd is stopped and then restarted, it'll know where in each file input to resume reading.

See the list of output fields at server/status/fishbucket in the REST API Reference Manual

server/status/limits/search-concurrency

Search concurrency limits for a standalone Splunk Enterprise instance.

See the list of output fields at system/server/status/limits/search-concurrency in the REST API Reference Manual.

server/status/partitions-space

Helps track disk usage. These results show only partitions with Splunk disk objects (indexes, volumes, logs, fishbucket, search process artifacts) on them. There is a partitions event for each file system, and each event gives the respective file system type.

A file system (or "volume" in Windows) is a logical concept, identified on UNIX by a number called "device ID." A file system has the property of type (format). For example: ZFS, EXT3.

A partition is a physical concept, simply a chunk of hard drive (or solid state drive). All we know about a partition is its size. A file system can reside on multiple partitions. Splunk Enterprise does not report at the partition level.

See the list of output fields at server/status/partitions-space in the REST API Reference Manual.

Last modified on 11 December, 2020
About Splunk Enterprise platform instrumentation   Configure platform instrumentation

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters