How come, in the Splunk App for Infrastructure, so...

martinha1 · ‎12-21-2018

The Universal Forwarder is sending Data. the Data will be indexed in the Splunk Enterprise server and I see data in the metrics log files on the client and on the Splunk Server.

But, for two Windows 10 Clients, I get no Entity. On the Splunk Server, I have the Infrastructure App and the Add-on installed and on the Client, I have installed the Universal Forwarder with the Scripts as described in "App: Splunk App for Infrastructure -> Add Data -> Windows".

Actually, I have 3 Entities (two Linux Server and one Windows Server) but for the Win10 Agents, I have no Entity.

mattymo · ‎12-23-2018

Is this Windows 10 Pro? Home?

I am setting up a forwarder on a gift for the kiddo 🙂 going to test in a day or two. Will have Win10 Home Edition. Probably shouldn't matter, but just checking to be thorough.

- MattyMo

dagarwal_splunk · ‎12-21-2018

Try some of these steps first :
1) Can you check if the UF on the Windows machine is actually sending data? ".\splunk list forward-server". If you don't have any user login created on UF, you can use this: https://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/User-seedconf

2) Make sure "outputs.conf" in UF is sending data to Infrastructure App.

3) Use Enterprise search to check if Windows metrics data is coming. Something like: " | mstats avg(_value) WHERE metric_name=* AND index=em_metrics AND entity_type=Windows_Host by metric_name"

martinha1 · ‎12-22-2018

thx I did the steps and it looks like as the UF is sending data but only from one metric

1) I have created a user login with a hashed PW but I get a "login failed" message

2) outputs.conf content
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 10.11.12.13:9997

3) I tried two searches
| mstats avg(_value) WHERE metric_name=* AND index=em_metrics AND entity_type=Windows_Host AND host=working-w2k12r2vm by metric_name
returns 164,450 events from 26 different metrics (Memory.Cache_Bytes, Process.%_User_Time, System.Threads, ...)

| mstats avg(_value) WHERE metric_name=* AND index=em_metrics AND entity_type=Windows_Host AND host=notworking-win10vm by metric_name
returns 2,961 events from 1 metric (System.Threads)

dagarwal_splunk · ‎01-02-2019

You should check the inputs.conf file on your UF. Make sure you have the perfmon stanzas like this :

[perfmon://CPU Load]
counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time
instances = *
interval = 30
object = Processor
index = em_metrics
_meta = entity_type::Windows_Host

You will need the "Processor" object for entity to be discovered.
index=em_metrics and _meta = entity_type::Windows_Host are required.

martinha1 · ‎01-02-2019

hi dagarwal, the UF installations inputs.conf file, that delivers metrics have the same content as the UF installations that are not deliver metrics but i will test that.
thx

mattymo · ‎12-23-2018

I recommend also installing the metrics workspace - https://splunkbase.splunk.com/app/4192/ - s a good sanity check for App for Infra, as it will display any metrics that make it into the metric store without relying on entity correlation magic.

- MattyMo

How come, in the Splunk App for Infrastructure, some Entities are missing?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk