<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Adding perf counters for processes that are not currently running in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Adding-perf-counters-for-processes-that-are-not-currently/m-p/51775#M9927</link>
    <description>&lt;P&gt;I'm setting up my splunk forwarder on a generalized image that will be sysprep'd.  I want to include perf counters, such as .NET CLR Memory, Process, and others that I want to be process specific.  &lt;/P&gt;

&lt;P&gt;As it appears to me with all the process-specific counters, I can only select processes that are currently running.  What I would like to do is select something like "all running processes" because in my use case, I want to see all processes that would be installed on the machines after sysprep.  I'm not concerned with gathering too much info on processes I don't care about as long as I cover any and all of them.  Can anyone think of a way to retrieve this or any possible workarounds?&lt;/P&gt;

&lt;P&gt;Also, I'm finding that the .NET CLR Memory counters are only global and not process specific.  Is there a way to retrieve ones that are not just &lt;EM&gt;global&lt;/EM&gt; but per process?&lt;/P&gt;

&lt;P&gt;Any help or insight is greatly appreciated.&lt;/P&gt;

&lt;P&gt;Thanks!&lt;/P&gt;</description>
    <pubDate>Mon, 01 Aug 2011 21:58:44 GMT</pubDate>
    <dc:creator>matthewmalecki</dc:creator>
    <dc:date>2011-08-01T21:58:44Z</dc:date>
    <item>
      <title>Adding perf counters for processes that are not currently running</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Adding-perf-counters-for-processes-that-are-not-currently/m-p/51775#M9927</link>
      <description>&lt;P&gt;I'm setting up my splunk forwarder on a generalized image that will be sysprep'd.  I want to include perf counters, such as .NET CLR Memory, Process, and others that I want to be process specific.  &lt;/P&gt;

&lt;P&gt;As it appears to me with all the process-specific counters, I can only select processes that are currently running.  What I would like to do is select something like "all running processes" because in my use case, I want to see all processes that would be installed on the machines after sysprep.  I'm not concerned with gathering too much info on processes I don't care about as long as I cover any and all of them.  Can anyone think of a way to retrieve this or any possible workarounds?&lt;/P&gt;

&lt;P&gt;Also, I'm finding that the .NET CLR Memory counters are only global and not process specific.  Is there a way to retrieve ones that are not just &lt;EM&gt;global&lt;/EM&gt; but per process?&lt;/P&gt;

&lt;P&gt;Any help or insight is greatly appreciated.&lt;/P&gt;

&lt;P&gt;Thanks!&lt;/P&gt;</description>
      <pubDate>Mon, 01 Aug 2011 21:58:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Adding-perf-counters-for-processes-that-are-not-currently/m-p/51775#M9927</guid>
      <dc:creator>matthewmalecki</dc:creator>
      <dc:date>2011-08-01T21:58:44Z</dc:date>
    </item>
    <item>
      <title>Re: Adding perf counters for processes that are not currently running</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Adding-perf-counters-for-processes-that-are-not-currently/m-p/51776#M9928</link>
      <description>&lt;P&gt;What you would be looking for is a Query to each machine that runs a list of installed processes then right? &lt;/P&gt;

&lt;P&gt;In that case, you may be able to build a wmi call that does that. &lt;/P&gt;

&lt;P&gt;In the technical add-on for windows (Splunk.TA.Windows) /default directory you will see a file called 'wmi.conf' which is where you will see all of the wql queries that splunk uses to talk to windows directly. copy that to /local, and If you research your wql query on the web, and then add a new section to this file with your desired query in it, you should get the results you're looking for.&lt;/P&gt;

&lt;P&gt;This is an example of an entry from that file: &lt;/P&gt;

&lt;P&gt;disabled = 1 &lt;BR /&gt;&lt;BR /&gt;
Run twice per day&lt;BR /&gt;&lt;BR /&gt;
interval = 43200&lt;BR /&gt;&lt;BR /&gt;
wql = SELECT Caption, Description, Domain, InstallDate, LocalAccount, Name, SID, SIDType, Status FROM Win32_Account&lt;/P&gt;

&lt;P&gt;the 'wql' portion is what you would need to adjust, and keep in mind the interval is in seconds.&lt;BR /&gt;
(43200 seconds = 12 hours)&lt;/P&gt;

&lt;P&gt;Unfortunately I don't know enough about wql to help with that part. =(  &lt;/P&gt;</description>
      <pubDate>Wed, 14 May 2014 20:55:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Adding-perf-counters-for-processes-that-are-not-currently/m-p/51776#M9928</guid>
      <dc:creator>tmarlette</dc:creator>
      <dc:date>2014-05-14T20:55:37Z</dc:date>
    </item>
  </channel>
</rss>

