All Apps and Add-ons

Perfmon-Warnings when restarting Splunk UF Service

New Member

Hi everyone,

I'm running a Splunk UF 6.6.8 on Windows Server 2012 and indexing perfmon data using the Splunk TA for Windows. Each time I'm restarting the service (due to server reboot for example), I'm getting the following Warnings in Splunk:

WARN IniFile - C:\Program Files\SplunkUniversalForwarder\etc\apps\search\local\inputs.conf, line 100: Cannot parse into key-value pair: Disk Writes/sec;

I'm getting casual perfmon data during runtime, however I can repeat this behavior with every service-restart, I don't even need to reboot the server. I also tried using mode = multikv, but this had no effect, so I assume it may not really be a parsing issue but something else.

Does someone know the reason behind this behavior and maybe a workaround or bugfix?

Greetings

0 Karma

Builder

Only thing that jumps out at me is the capitalized "I" your "Avg. DIsk Bytes/Write" entry

I don't trust myself to accurately type counter names in perfmon based input specs. Instead I use a powershell script to select from a list of all possible perfmon objects and to return a sample inputs.conf file having their associated counters listed in spec format.

https://github.com/dstaulcu/SplunkTools/blob/master/PerfmonSelectionsToSplunkInput.ps1

alt text

0 Karma

New Member

Yeah that capitalized "i" was a typo. I couldn't copy/paste the config since it lies in a military zone, so all I could do was write it manually. I also don't think this is a configuration issue, since I'm getting data from all counters.

However if the UF service is restarted, I get the stated warning in my _internal index and I don't know why. But only once during the restart.

0 Karma

Builder

try counters = * to see if problem goes away.

also, odd that you would have a search app on UF and that your inputs spec is in it.

0 Karma

New Member

"Search" app is a placeholder. It doesn't matter in which app I put the configuration does it?

0 Karma

New Member

Forgot to add the config-stanza

[perfmon://LogicalDisk]
counters = % Disk Time; %Disk Write Time; % Disk Read Time; % Free Space; % Idle Time; Avg. Disk Bytes/Transfer; Avg. DIsk Bytes/Write; Avg. Disk Bytes/Read; Avg. Disk Queue Length; Avg. Disk Write Queue Length; Avg. Disk Read Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Write; Avg. Disk sec/Read; Disk Bytes/sec; Disk Transfers/sec; Disk Write Bytes/sec; Disk Read Bytes/sec; Disk Reads/sec; Disk Writes/sec; Free Megabytes;
disabled = 0
instances = *
interval = 300
object = LogicalDisk
useEnglishOnly = true
index = os
showZeroValue = 1
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!