All Apps and Add-ons

Perfmon-Warnings when restarting Splunk UF Service

bojanjanisch
New Member

Hi everyone,

I'm running a Splunk UF 6.6.8 on Windows Server 2012 and indexing perfmon data using the Splunk TA for Windows. Each time I'm restarting the service (due to server reboot for example), I'm getting the following Warnings in Splunk:

WARN IniFile - C:\Program Files\SplunkUniversalForwarder\etc\apps\search\local\inputs.conf, line 100: Cannot parse into key-value pair: Disk Writes/sec;

I'm getting casual perfmon data during runtime, however I can repeat this behavior with every service-restart, I don't even need to reboot the server. I also tried using mode = multikv, but this had no effect, so I assume it may not really be a parsing issue but something else.

Does someone know the reason behind this behavior and maybe a workaround or bugfix?

Greetings

0 Karma

dstaulcu
Builder

Only thing that jumps out at me is the capitalized "I" your "Avg. DIsk Bytes/Write" entry

I don't trust myself to accurately type counter names in perfmon based input specs. Instead I use a powershell script to select from a list of all possible perfmon objects and to return a sample inputs.conf file having their associated counters listed in spec format.

https://github.com/dstaulcu/SplunkTools/blob/master/PerfmonSelectionsToSplunkInput.ps1

alt text

0 Karma

bojanjanisch
New Member

Yeah that capitalized "i" was a typo. I couldn't copy/paste the config since it lies in a military zone, so all I could do was write it manually. I also don't think this is a configuration issue, since I'm getting data from all counters.

However if the UF service is restarted, I get the stated warning in my _internal index and I don't know why. But only once during the restart.

0 Karma

dstaulcu
Builder

try counters = * to see if problem goes away.

also, odd that you would have a search app on UF and that your inputs spec is in it.

0 Karma

bojanjanisch
New Member

"Search" app is a placeholder. It doesn't matter in which app I put the configuration does it?

0 Karma

bojanjanisch
New Member

Forgot to add the config-stanza

[perfmon://LogicalDisk]
counters = % Disk Time; %Disk Write Time; % Disk Read Time; % Free Space; % Idle Time; Avg. Disk Bytes/Transfer; Avg. DIsk Bytes/Write; Avg. Disk Bytes/Read; Avg. Disk Queue Length; Avg. Disk Write Queue Length; Avg. Disk Read Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Write; Avg. Disk sec/Read; Disk Bytes/sec; Disk Transfers/sec; Disk Write Bytes/sec; Disk Read Bytes/sec; Disk Reads/sec; Disk Writes/sec; Free Megabytes;
disabled = 0
instances = *
interval = 300
object = LogicalDisk
useEnglishOnly = true
index = os
showZeroValue = 1
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...