What does platform instrumentation log?
This topic describes the contents of log files that are tailed to populate the _introspection
index. For the log files that populate _internal
, see What Splunk logs about itself.
These log files comply with the Common Information Model (CIM). See the CIM add-on documentation for more information.
"Extra field" indicates a field that is not logged by default. Read more about configuring polling intervals and enabling this feature on a universal forwarder in Configure platform instrumentation.
resource_usage.log
Per-process resource usage data
Platform instrumentation exposes OS resource usage info for just Splunk software processes, broken down by process. Splunk processes include splunkd, splunkweb, Splunk search processes, splunkd-launched (fsck, splunk-optimize), and modular or scripted inputs launched on behalf of splunkd.
These fields are available:
- in the log file
$SPLUNK_HOME/var/log/introspection/resource_usage.log
- in an indexer's
_introspection
index - at the endpoint
server/status/resource-usage/splunk-processes
.
Data available for all Splunk software processes
You can view information about operating system resource utilization, broken down by Splunk process. Four fields here are "extra" fields, not logged by default. Read about populating extra fields in Configure platform instrumentation.
See the list of output fields at system/server/status/resource-usage/splunk-processes in the REST API Reference Manual.
Additional data available only for search processes
Splunk software can log all the above data for search processes (except args
). In addition, it logs some additional information about search processes, in a subsection called search_props
.
See the list of output fields at system/server/status/resource-usage/splunk-processes in the REST API Reference Manual. The search process fields are embedded within the larger process table, at the search_props
entry.
Hostwide resource usage data
You can view host-level, dynamic CPU utilization and paging information.
These fields are available:
- in the log file
resource_usage.log
- in an indexer's
_introspection
index - at the endpoint
server/status/resource-usage/hostwide
.
See the list of output fields at system/server/status/resource-usage/hostwide in the REST API Reference Manual.
I/O statistics
Disk input-output usage statistics. The Splunk Enterprise iostats endpoint displays the most recent data. Historical data is logged to resource_usage.log
.
Note that the statistics available here are usage statistics, not benchmarks.
See the list of output fields at server/status/resource-usage/iostats in the REST API Reference Manual.
Search infrastructure data
Unlike most data available under server/introspection
, the search infrastructure data is logged in metrics.log and audit.log, which is indexed to _internal and _audit, respectively, and available in the file system at $SPLUNK_HOME/var/log/splunk
. Read about metrics.log components in "About metrics.log."
server/introspection/search/dispatch
Provides vital statistics for distributed search framework, including details on search peer performance.
disk_objects.log
This disk object data is available in the log file $SPLUNK_HOME/var/log/introspection/disk_objects.log
Additionally, the latest snapshot of these field values is available at endpoints as itemized below.
server/info
Splunk Enterprise server configuration information (static server characteristics; dynamic characteristics go under server/status
).
See the list of output fields at system/server/info in the REST API Reference Manual.
data/index-volumes
Lists the Splunk Enterprise volume(s).
See the list of output fields at data/index-volumes in the REST API Reference Manual.
data/index-volumes/{Name}
Characterizes persisted objects at the volume level.
See the list of output fields at index/data/index-volumes/{Name} in the REST API Reference Manual.
data/indexes-extended
Provides information about Splunk Enterprise index buckets.
See the list of output fields at index/data/indexes-extended in the REST API Reference Manual.
data/indexes-extended/{Name}
Provides bucket-level information for the specified index.
See the list of output fields at data/indexes-extended{Name} in the REST API Reference Manual.
server/status/dispatch-artifacts
Accesses search job information.
See the list of output fields at server/status/dispatch-artifacts in the REST API Reference Manual.
server/status/fishbucket
Accesses information about the private BTree database. Gives an idea of fishbucket growth. The fishbucket is a directory, $SPLUNK_DB/fishbucket/splunk_private_db/
, that keeps a record about each file input. Most fundamentally, this record keeps track of how far into the file we've read, so that if splunkd is stopped and then restarted, it'll know where in each file input to resume reading.
See the list of output fields at server/status/fishbucket in the REST API Reference Manual
server/status/limits/search-concurrency
Search concurrency limits for a standalone Splunk Enterprise instance.
See the list of output fields at system/server/status/limits/search-concurrency in the REST API Reference Manual.
server/status/partitions-space
Helps track disk usage. These results show only partitions with Splunk disk objects (indexes, volumes, logs, fishbucket, search process artifacts) on them. There is a partitions event for each file system, and each event gives the respective file system type.
A file system (or "volume" in Windows) is a logical concept, identified on UNIX by a number called "device ID." A file system has the property of type (format). For example: ZFS, EXT3.
A partition is a physical concept, simply a chunk of hard drive (or solid state drive). All we know about a partition is its size. A file system can reside on multiple partitions. Splunk Enterprise does not report at the partition level.
See the list of output fields at server/status/partitions-space in the REST API Reference Manual.
About Splunk Enterprise platform instrumentation | Configure platform instrumentation |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Feedback submitted, thanks!