https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97266#M20271 <P>Hi, </P> <P>The following is my setup.</P> <P>Indexer is running on Linux, and App "Splunk for Windows" installed on it. Universal Forwarder is installed on another Windows Server, forwarding everything to the indexer. </P> <P>I can see windows event log, but in the Performance Management windows, all 5 pane are empty. Wondering if the app only works on Windows indexer, not linux indexer.</P> <P>Thanks,<BR /> James</P> Fri, 06 May 2011 23:05:32 GMT jameszh 2011-05-06T23:05:32Z https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97266#M20271 <P>Hi, </P> <P>The following is my setup.</P> <P>Indexer is running on Linux, and App "Splunk for Windows" installed on it. Universal Forwarder is installed on another Windows Server, forwarding everything to the indexer. </P> <P>I can see windows event log, but in the Performance Management windows, all 5 pane are empty. Wondering if the app only works on Windows indexer, not linux indexer.</P> <P>Thanks,<BR /> James</P> Fri, 06 May 2011 23:05:32 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97266#M20271 jameszh 2011-05-06T23:05:32Z https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97267#M20272 <P>The windows app does work on linux (i mean searches,reports,dashboard) and the performance management dashboard based it's searching over WMI data, so if you're not indexing WMI:* these will not load.</P> <P>Also if using Perfmon:* it will not work.</P> Sun, 08 May 2011 09:24:20 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97267#M20272 MarioM 2011-05-08T09:24:20Z https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97268#M20273 <P>The Universal Forwarder in Windows is configured to forward wmi data to the indexer(receiving is enabled in indexer as well). What else needs to be done in indexer to show the performance data from windows?</P> <P>Thanks,<BR /> James</P> Sun, 08 May 2011 22:05:29 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97268#M20273 jameszh 2011-05-08T22:05:29Z https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97269#M20274 <P>Do you see any WMI:* source or sourcetype in your main splunk ?</P> <P>You could search internal log for any issues:</P> <PRE><CODE>index="_*" WMI* </CODE></PRE> Mon, 09 May 2011 05:43:20 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97269#M20274 MarioM 2011-05-09T05:43:20Z https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97270#M20275 <P>It seems Universal Forwarder doesn't forward wmi, only eventlog + perfmon, I can't see WMI: source in the main splunk. How can I collect wmi data from windows in Linux? </P> <P>Thanks,<BR /> James</P> Mon, 09 May 2011 13:38:36 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97270#M20275 jameszh 2011-05-09T13:38:36Z https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97271#M20276 <P>in your UF installation you need a wmi.conf for example in splunk\etc\system\local with the following:</P> <PRE><CODE> [WMI:CPUTime] ## Run every 5 minutes interval = 300 wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total" disabled = false [WMI:FreeDiskSpace] interval = 10 wql = SELECT Name,FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk disabled = false [WMI:LocalPhysicalDisk] interval = 10 wql = select Name,CurrentDiskQueueLength,DiskBytesPerSec,PercentDiskReadTime,PercentDiskWriteTime,PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk disabled = false [WMI:LocalProcesses] ## Run every 5 minutes interval = 300 wql = select Name,IDProcess,PrivateBytes,PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process disabled = false [WMI:LocalNetwork] ## Run every 5 minutes interval = 300 wql = select Name,BytesReceivedPerSec,BytesSentPerSec,BytesTotalPerSec,CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface disabled = false [WMI:Memory] ## Run every 5 minutes interval = 300 wql = select PagesPerSec,AvailableMBytes,CommittedBytes,PercentCommittedBytesInUse from Win32_PerfFormattedData_PerfOS_Memory disabled = false </CODE></PRE> Mon, 09 May 2011 14:57:26 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97271#M20276 MarioM 2011-05-09T14:57:26Z https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97272#M20277 <P>This works, thanks MarioM!</P> Mon, 09 May 2011 16:46:45 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97272#M20277 jameszh 2011-05-09T16:46:45Z https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97273#M20278 <P>Be aware that MS WMI is very resource hungry.Then you might need to adapt the interval.</P> Mon, 09 May 2011 16:57:07 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97273#M20278 MarioM 2011-05-09T16:57:07Z https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97274#M20279 <P>and can you accept the answer.Thanks <span class="lia-unicode-emoji" title=":winking_face_with_tongue:">😜</span></P> Mon, 09 May 2011 16:59:04 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-app-on-LInux-Indexer/m-p/97274#M20279 MarioM 2011-05-09T16:59:04Z