All Apps and Add-ons

PerfMon Problem: collection="Processor Information" object="Processor Information" counter="% Processor Time" Instance Incorrectly Extracted

dijikul
Communicator

Trying to report % Processor Time per-process (instance) however the raw data isn't being correctly extracted it seems, with the data being truncated at a comma.

Each event collected from PerfMon has a line with a value for instance. A raw event looks like this:

11/02/2018 23:04:07.988 -0600
collection="Processor Information"
object="Processor Information"
counter="% Processor Time"
instance=0,0
Value=3.343537056348178

The problem arises when trying to differentiate values across 16 possible threads on a Xeon 8 Core Hyper-threaded server where the instance values all report like follows:

instance=0,0
instance=0,1
instance=0,2
instance=0,3
...
instance=0,12
instance=0,13
instance=0,14
instance=0,15

The Windows TA is only extracting the Instance=0 portion causing the last digit to be chopped off at the comma.

What would need to be changed in order to correct the extraction for these individual cpu core values?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You'd need to

  1. file a support case with splunk to make sure some future version of the TA will be able to handle this out of the box, ideally by putting values that contain a comma in double quotes.
  2. add a field extraction for that sourcetype with the inline expression (EXTRACT-foo in props.conf) (?m)^instance=(?<instance>[^\r\n]+). That will overwrite the default key=value extraction which assumes unquoted values can be separated and therefore terminated by commas.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You'd need to

  1. file a support case with splunk to make sure some future version of the TA will be able to handle this out of the box, ideally by putting values that contain a comma in double quotes.
  2. add a field extraction for that sourcetype with the inline expression (EXTRACT-foo in props.conf) (?m)^instance=(?<instance>[^\r\n]+). That will overwrite the default key=value extraction which assumes unquoted values can be separated and therefore terminated by commas.

View solution in original post

dijikul
Communicator

Thanks, @martin_mueller. Creating the Extract in my Search Cloud as you described extracted the correct instances!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!