<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic How do you add Perfmon:Process in universal forwarders? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-do-you-add-Perfmon-Process-in-universal-forwarders/m-p/253814#M48713</link>
    <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;How do you add Perfmon:Process into Splunk universal forwarders? I tried using the guides, but Splunk does not show any new Source/type.&lt;/P&gt;

&lt;P&gt;I added the following in both inputs.conf and wmi.conf. Do I need just one of them? &lt;/P&gt;

&lt;P&gt;I added the files in /etc/system/local/ directory of each server that has a UF:&lt;/P&gt;

&lt;P&gt;wmi.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;## Processes
[WMI:LocalProcesses]
interval = 10
wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
index = windows
disabled = 0
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;inputs.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[perfmon://Process]
interval = 10
object = Process
counters = *
instances = *
index = windows
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Also in inputs.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;The default index for the Windows event logs "wineventlog" seems to grow, but I can't see them in any of the servers. How do I search them? Are they supposed to show up in Source or Source Type?&lt;/P&gt;

&lt;P&gt;Please help.&lt;/P&gt;

&lt;P&gt;Thanks.&lt;/P&gt;</description>
    <pubDate>Tue, 12 Jul 2016 17:30:25 GMT</pubDate>
    <dc:creator>wellhung</dc:creator>
    <dc:date>2016-07-12T17:30:25Z</dc:date>
    <item>
      <title>How do you add Perfmon:Process in universal forwarders?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-you-add-Perfmon-Process-in-universal-forwarders/m-p/253814#M48713</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;How do you add Perfmon:Process into Splunk universal forwarders? I tried using the guides, but Splunk does not show any new Source/type.&lt;/P&gt;

&lt;P&gt;I added the following in both inputs.conf and wmi.conf. Do I need just one of them? &lt;/P&gt;

&lt;P&gt;I added the files in /etc/system/local/ directory of each server that has a UF:&lt;/P&gt;

&lt;P&gt;wmi.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;## Processes
[WMI:LocalProcesses]
interval = 10
wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
index = windows
disabled = 0
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;inputs.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[perfmon://Process]
interval = 10
object = Process
counters = *
instances = *
index = windows
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Also in inputs.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;The default index for the Windows event logs "wineventlog" seems to grow, but I can't see them in any of the servers. How do I search them? Are they supposed to show up in Source or Source Type?&lt;/P&gt;

&lt;P&gt;Please help.&lt;/P&gt;

&lt;P&gt;Thanks.&lt;/P&gt;</description>
      <pubDate>Tue, 12 Jul 2016 17:30:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-you-add-Perfmon-Process-in-universal-forwarders/m-p/253814#M48713</guid>
      <dc:creator>wellhung</dc:creator>
      <dc:date>2016-07-12T17:30:25Z</dc:date>
    </item>
    <item>
      <title>Re: How do you add Perfmon:Process in universal forwarders?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-you-add-Perfmon-Process-in-universal-forwarders/m-p/253815#M48714</link>
      <description>&lt;P&gt;You can add perfmon monitoring by using either of those stanzas. Both are not required. The default sourcetype name should be "Perfmon:Process". Try searching the following to see if any events are being indexed:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;sourcetype="Perfmon:Process" 
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Here is some additional information: &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowsperformance"&gt;http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowsperformance&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 14 Jul 2016 20:50:26 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-you-add-Perfmon-Process-in-universal-forwarders/m-p/253815#M48714</guid>
      <dc:creator>jpolcari</dc:creator>
      <dc:date>2016-07-14T20:50:26Z</dc:date>
    </item>
  </channel>
</rss>

