topic Re: Sending Perfmon data to metrics index in Getting Data In

Sending Perfmon data to metrics index

andreasz — Fri, 05 Jan 2018 13:47:09 GMT

I would like to collect my windows perfmon data into a metrics index. Is this feature planned for the near future?

The reason: I've had very good experience with the new metrics index. Great performance and very powerfull mstats command (no extra data model plus acceleration jobs)

Thanks for your help in advance,
Andreas

Re: Sending Perfmon data to metrics index

ddrillic — Fri, 05 Jan 2018 14:23:17 GMT

This can help - Monitor Windows performance

Re: Sending Perfmon data to metrics index

andreasz — Fri, 05 Jan 2018 14:29:59 GMT

@ddrillic: thanks for the answer, but I already know this document. I'm talking about the new Splunk 7 feature: metrics index.

Re: Sending Perfmon data to metrics index

bsonposh — Fri, 05 Jan 2018 15:31:17 GMT

I do believe they will enable this feature for v.next but the problem is one of cost. The currently implementation of perfmon data uses CSV which has a significantly lower data cost than metrics which is billed by each metric.

I believe the intent is to address this.

Re: Sending Perfmon data to metrics index

maciep — Fri, 05 Jan 2018 16:33:24 GMT

Updated to include example

not on 7.x yet, so i can't try...but can your format the data on the way in to be in the right format for a metrics index?

http://docs.splunk.com/Documentation/Splunk/7.0.1/Metrics/GetMetricsInOther

For example, to get the required indexed metric fields:

inputs.conf (uf):

[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time
disabled = 0
instances = *
interval = 60
object = Processor
useEnglishOnly=true
index = tester
sourcetype=perfmon:test

Props.conf (parsing layer):

[perfmon:test]
TRANSFORMS-metric = cpu_metric
TRANSFORMS-value = cpu_value

transforms.conf (parsing layer):

[cpu_metric]
REGEX = collection=(.+)[\s\S]*counter=(.+)[\s\S]*instance=(.+)
FORMAT = metric_name::$1.$3.$2
WRITE_META = true

[cpu_value]
REGEX = Value=(.+)
FORMAT = metric_value::$1
WRITE_META = true

This is sort of what I'm hoping to try when we upgrade, but I'm still worried about all of the indexed fields, but hopefully the metrics index file is more efficient/smaller than tsidx?

Re: Sending Perfmon data to metrics index

andreasz — Fri, 05 Jan 2018 17:00:42 GMT

Good point. I'm currently using the multikv mode and the data volume is really small

Re: Sending Perfmon data to metrics index

andreasz — Fri, 05 Jan 2018 17:02:10 GMT

To accomplish this, I would have to "hack" the splunk-perfmon.exe 😉

Re: Sending Perfmon data to metrics index

maciep — Fri, 05 Jan 2018 17:31:29 GMT

I didn't mean at the forwarder, but at parse time. So the data gets sent to your indexer/hf, and then you do some index-time extractions to get the fields you need. I was hoping to try something similar once we get upgrade to 7.x

Admittedly, I've never really looked into the parse/index time config for perfmon data, but I feel like this could be doable?